From: Liping Zhang
For sw_flow_actions, the actions_len only represents the kernel part's
size, and when we dump the actions to the userspace, we will do the
convertions, so it's true size may become bigger than the actions_len.
But unfortunately, for OVS_PACKET_ATTR_ACTIONS,
2017-08-16 7:35 GMT+08:00 Pravin Shelar :
[...]
>> diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
>> index e4610676299b..f849ef52853f 100644
>> --- a/net/openvswitch/actions.c
>> +++ b/net/openvswitch/actions.c
>> @@ -921,6 +921,7 @@ static int output_userspace(struct datapath *
From: Liping Zhang
For sw_flow_actions, the actions_len only represents the kernel part's
size, and when we dump the actions to the userspace, we will do the
convertions, so it's true size may become bigger than the actions_len.
But unfortunately, for OVS_PACKET_ATTR_ACTIONS,
2017-08-15 13:01 GMT+08:00 Pravin Shelar :
[...]
>> net/openvswitch/actions.c | 39 +--
>> net/openvswitch/datapath.c | 2 +-
>> net/openvswitch/datapath.h | 1 +
>> 3 files changed, 27 insertions(+), 15 deletions(-)
>>
>> diff --git a/net/openvswitch/actions
From: Liping Zhang
For sw_flow_actions, the actions_len only represents the kernel part's
size, and when we dump the actions to the userspace, we will do the
convertions, so it's true size may become bigger than the actions_len.
But unfortunately, for OVS_PACKET_ATTR_ACTIONS,
From: Liping Zhang
Before the 'type' is validated, we shouldn't use it to fetch the
ovs_ct_attr_lens's minlen and maxlen, else, out of bound access
may happen.
Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
Signed-off-by: Liping Zhang
---
net/openvswi
From: Liping Zhang
On our 4-core system, sometimes I can enable all CPUs to process packets.
But sometimes I can't, if all the CPUs become offline except core 0, I
will get the following result, which is really annoying for my script:
# echo f > /sys/class/net/eth0/queues/rx-0/rps_cpu
2017-04-09 16:26 GMT+08:00 Jan Engelhardt :
>
> On Sunday 2017-04-09 05:42, Arushi Singhal wrote:
>>On Sun, Apr 9, 2017 at 1:44 AM, Pablo Neira Ayuso wrote:
>> On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote:
>> > On Saturday 2017-04-08 19:21, Arushi Singhal wrote:
>>
Hi David,
2017-03-16 18:58 GMT+08:00 David Laight :
[...]
>> For the similar reason, when loading an u16 value from the u32 data
>> register, we should use "*(u16 *) sreg;" instead of "(u16)*sreg;",
>> the 2nd method will get the wrong value in the big-endian system.
> ...
>
> That seems to be pape
Hi,
2017-03-02 18:18 GMT+08:00 Gao Feng :
[...]
> The expect class is NF_CT_EXPECT_CLASS_DEFAULT, and proto is
> IPPROTO_UDP at the function "expect_rtp_rtcp",
> And it makes sure the port is even number.
>
> But look at the process_gcf, the port is got from the packet data at
> function get_h225_a
Hi,
2017-03-02 15:57 GMT+08:00 :
> From: Gao Feng
>
> When h323 and sip try to insert expect nodes, they would increase
> the port by 2 for loop, and the loop condition is that "port != 0".
> So when the start port is odd number, port never increases to zero.
This seems will never happen, since
From: Liping Zhang
This will add stricter validating for RTA_MARK attribute.
Signed-off-by: Liping Zhang
---
net/ipv4/fib_frontend.c | 1 +
net/ipv6/route.c| 1 +
2 files changed, 2 insertions(+)
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index b39a791..42bfd08
2016-10-12 14:08 GMT+08:00 Dan Carpenter :
> We don't want to allow negatives here.
>
> Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32
> netlink attributes')
> Signed-off-by: Dan Carpenter
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
>
2016-10-11 11:57 GMT+08:00 Chris Caputo :
> I have tested the above patch with 4.8.1, with and without nflog-size
> defined in an iptables configuration, and it works well.
>
> The ulogd-2.0.5 segfaults no longer happen when nflog-size is not present
> in a target.
>
> I recommend this fix.
Thanks
2016-10-11 2:33 GMT+08:00 Chris Caputo :
>>
>> What numbers did you specify after --nflog-size option?
>> --nflog-size 0 or ...? If you want log the whole packet to
>> the ulogd, please do not specify this nflog-size option.
>
> Not specifying nflog-size does not appear to log the whole packet...
>
Hi Chris,
2016-10-10 15:02 GMT+08:00 Chris Caputo :
> On Tue, 4 Oct 2016, Justin Piszcz wrote:
>> kernel 4.8 with ulogd-2.0.5- IPs are no longer logged:
>>
>> Oct 4 17:51:30 atom INPUT_BLOCK IN=eth1 OUT=
>> MAC=00:1b:21:9c:3b:fa:3e:94:d5:d2:49:1e:08:00 LEN=0 TOS=00 PREC=0x00
>> TTL=0 ID=0 PROTO=0
Hi Justin,
2016-10-05 6:02 GMT+08:00 Justin Piszcz :
> Hello,
>
> kernel 4.8 with ulogd-2.0.5- IPs are no longer logged:
>
> Oct 4 17:51:30 atom INPUT_BLOCK IN=eth1 OUT=
> MAC=00:1b:21:9c:3b:fa:3e:94:d5:d2:49:1e:08:00 LEN=0 TOS=00 PREC=0x00
> TTL=0 ID=0 PROTO=0 MARK=0
> Oct 4 17:51:31 atom INPUT
2016-09-28 11:08 GMT+08:00 Liping Zhang :
> Hi Feng,
>
> 2016-09-28 9:23 GMT+08:00 Feng Gao :
>> Hi Aaraon,
>>
>> On Tue, Sep 27, 2016 at 9:38 PM, Aaron Conole wrote:
>>> It's possible for nf_hook_entry_head to return NULL if two
>>> nf_unre
Hi Feng,
2016-09-28 9:23 GMT+08:00 Feng Gao :
> Hi Aaraon,
>
> On Tue, Sep 27, 2016 at 9:38 PM, Aaron Conole wrote:
>> It's possible for nf_hook_entry_head to return NULL if two
>> nf_unregister_net_hook calls happen simultaneously with a single hook
>
> The critical region of nf_unregister_net_h
Hi Vishwanath Pai,
2016-09-27 15:42 GMT+08:00 Vishwanath Pai :
> Fix link error in 32bit arch because of 64bit division
This should be "netfilter: xt_hashlimit: fix ... "
>
> --- a/net/netfilter/xt_hashlimit.c
> +++ b/net/netfilter/xt_hashlimit.c
> @@ -465,19 +465,20 @@ static u64 user2credits(
Hi Feng,
2016-09-27 14:00 GMT+08:00 Gao Feng :
> Hi Liping,
>
>>
>> This xt_osf_user_finger{} is carefully designed, no padding now, and
>> will not be changed in the future, otherwise backward compatibility will
>> be broken.
>
> Yes, there is no padding now. So it is ok to use memcmp now.
> I am
Hi Feng,
2016-09-27 12:39 GMT+08:00 :
> From: Gao Feng
>
> Current xt_osf codes use memcmp to check if two user fingers are same,
> so it depends on that the struct xt_osf_user_finger is no padding.
> It is one implicit rule, and is not good to maintain.
>
> Now use zero memory and assign the me
Hi Vishwanath,
2016-09-23 0:43 GMT+08:00 Vishwanath Pai :
>
> /* Precision saver. */
> -static u32 user2credits(u32 user)
> +static u64 user2credits(u64 user, int revision)
> {
> - /* If multiplying would overflow... */
> - if (user > 0x / (HZ*CREDITS_PER_JIFFY_v1))
> -
From: Liping Zhang
In ip monitor, netns_map_init will check getnsid is supported or not.
But when /proc/self/ns/net does not exist, we just print out error
messages and exit. So user cannot use ip monitor anymore when
CONFIG_NET_NS is disabled:
# ip monitor
open("/proc/self/ns/net"
Hi Feng,
2016-09-02 9:48 GMT+08:00 :
> From: Gao Feng
> @@ -171,6 +176,11 @@ int nf_ct_seq_adjust(struct sk_buff *skb,
> struct nf_ct_seqadj *this_way, *other_way;
> int res;
>
> + if (unlikely(!seqadj)) {
IPS_SEQ_ADJUST_BIT will be tested before we call nf_ct_seq_adjust(),
2016-07-18 11:39 GMT+08:00 :
> From: Gao Feng
>
> Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister
> functions to enhance the conntrack helper codes.
I think this patch is breaking something ...
This irc:
> - if (ports[i] == IRC_PORT)
> - sprin
2016-07-04 14:14 GMT+08:00 Christophe Leroy :
>> I think there is no need to convert simple_strtoul to kstrtouint, add
>> a further check seems better?
>> Like this:
>> - if (!cseq) {
>> + if (!cseq && *(*dptr + matchoff) != '0') {
>>
>
> And what about an invalid CSeq that would look
2016-07-01 17:48 GMT+08:00 Christophe Leroy :
> Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq.
>
> --- a/net/netfilter/nf_conntrack_sip.c
> +++ b/net/netfilter/nf_conntrack_sip.c
> @@ -1368,6 +1368,7 @@ static int process_sip_response(struct sk_buff *skb,
> unsigned int pro
From: Liping Zhang
A socket can use bind(directly) or connect(indirectly) to bind to a local
ip address, and later if the network becomes down, that cause the source
address becomes nonlocal, then send() call will fail and return EINVAL.
But this error code is confusing, acctually we did not
From: Liping Zhang
This patch version 2 spilt the original patch into 2 patches, because it fix
two separate problems actually.
Liping Zhang (2):
net: socket: return EADDRNOTAVAIL when source address becomes
nonlocal
net: socket: return EADDRNOTAVAIL when IPV6_PKTINFO's ipi6_ad
From: Liping Zhang
We can use IPV6_PKTINFO to specify the ipv6 source address when call
sendmsg() to send packet, but if the address is not available, call will
fail and EINVAL is returned. This error code is not very appropriate,
it failed maybe just because of a temporary network problem, i.e
From: Liping Zhang
1. Socket can use bind(directly) or connect(indirectly) to bind to a local
ip address, and later if the network becomes down, that cause the source
address becomes nonlocal, then send() call will fail and return EINVAL.
But this error code is confusing, acctually we
32 matches
Mail list logo
