| Message ID | 20181210133938.6740-1-kadlec@blackhole.kfki.hu |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
On Mon, Dec 10, 2018 at 02:39:33PM +0100, Jozsef Kadlecsik wrote: > Hi Pablo, > > Please consider to pull the next patches for nf-next: > > - Replace a strncpy() with strscpy() from Qian Cai. > - Do not call ipset_nest_end() after nla_nest_cancel() in the error > path in list_set_list() from Pan Bian. > - Introduction of new commands and thus protocol version 7. The > new commands makes possible to eliminate the getsockopt interface > of ipset and use solely netlink to communicate with the kernel. > Due to the strict attribute checking both in user/kernel space, > a new protocol number was introduced. Both the kernel/userspace is > fully backward compatible. The "fix ip_set_byindex function" patch > in the ipset git tree from Florent Fourcot is merged into the patch. > - Make invalid MAC address checks consisten, from Stefano Brivio. > The patch depends on the next one. > - Allow matching on destination MAC address for mac and ipmac sets, > also from Stefano Brivio. Hm, I think I got you confused when discussing this pull-request. Patches 1-3 are already in the nf-next tree. I'm telling this because I thought the fix from Florent was only in your tree, but it is already here in nf-next git. I think we need the independent fix from Florent Fourcout, as an independent patch for nf-next. If Florent's patch in in patchwork, please pass me the link and I'll take it from there. Anyway, I took the liberty to route your patch 4/5 to nf.git as a fix. Patch 5/5 is rare, the gcc warning looks wrong? And strscpy will never fail? Thanks Jozsef!
Hi Pablo, On Thu, 13 Dec 2018, Pablo Neira Ayuso wrote: > On Mon, Dec 10, 2018 at 02:39:33PM +0100, Jozsef Kadlecsik wrote: > > > > Please consider to pull the next patches for nf-next: > > > > - Replace a strncpy() with strscpy() from Qian Cai. > > - Do not call ipset_nest_end() after nla_nest_cancel() in the error > > path in list_set_list() from Pan Bian. > > - Introduction of new commands and thus protocol version 7. The > > new commands makes possible to eliminate the getsockopt interface > > of ipset and use solely netlink to communicate with the kernel. > > Due to the strict attribute checking both in user/kernel space, > > a new protocol number was introduced. Both the kernel/userspace is > > fully backward compatible. The "fix ip_set_byindex function" patch > > in the ipset git tree from Florent Fourcot is merged into the patch. > > - Make invalid MAC address checks consisten, from Stefano Brivio. > > The patch depends on the next one. > > - Allow matching on destination MAC address for mac and ipmac sets, > > also from Stefano Brivio. > > Hm, I think I got you confused when discussing this pull-request. > Patches 1-3 are already in the nf-next tree. I'm telling this because > I thought the fix from Florent was only in your tree, but it is > already here in nf-next git. > > I think we need the independent fix from Florent Fourcout, as an > independent patch for nf-next. If Florent's patch in in patchwork, > please pass me the link and I'll take it from there. Yes, that confused me and better apply the independent patch from Florent Fourcout. It can be found here (not patchwork, though): https://marc.info/?l=netfilter-devel&m=154333572628311&w=2 > Anyway, I took the liberty to route your patch 4/5 to nf.git as a fix. Thanks! > Patch 5/5 is rare, the gcc warning looks wrong? And strscpy will never > fail? The gcc warning is definitely wrong, the target data size is verified previously. But I suppose gcc cannot figure it out, so better silence the warning. strscpy() may return an error code which is checked and passed back. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary
Hi Jozsef, On Thu, Dec 13, 2018 at 01:57:57PM +0100, Jozsef Kadlecsik wrote: > Hi Pablo, > > On Thu, 13 Dec 2018, Pablo Neira Ayuso wrote: > > > On Mon, Dec 10, 2018 at 02:39:33PM +0100, Jozsef Kadlecsik wrote: > > > > > > Please consider to pull the next patches for nf-next: > > > > > > - Replace a strncpy() with strscpy() from Qian Cai. > > > - Do not call ipset_nest_end() after nla_nest_cancel() in the error > > > path in list_set_list() from Pan Bian. > > > - Introduction of new commands and thus protocol version 7. The > > > new commands makes possible to eliminate the getsockopt interface > > > of ipset and use solely netlink to communicate with the kernel. > > > Due to the strict attribute checking both in user/kernel space, > > > a new protocol number was introduced. Both the kernel/userspace is > > > fully backward compatible. The "fix ip_set_byindex function" patch > > > in the ipset git tree from Florent Fourcot is merged into the patch. > > > - Make invalid MAC address checks consisten, from Stefano Brivio. > > > The patch depends on the next one. > > > - Allow matching on destination MAC address for mac and ipmac sets, > > > also from Stefano Brivio. > > > > Hm, I think I got you confused when discussing this pull-request. > > Patches 1-3 are already in the nf-next tree. I'm telling this because > > I thought the fix from Florent was only in your tree, but it is > > already here in nf-next git. > > > > I think we need the independent fix from Florent Fourcout, as an > > independent patch for nf-next. If Florent's patch in in patchwork, > > please pass me the link and I'll take it from there. > > Yes, that confused me and better apply the independent patch from Florent > Fourcout. It can be found here (not patchwork, though): > https://marc.info/?l=netfilter-devel&m=154333572628311&w=2 Sorry for the confusion. Patch is applied. > > Patch 5/5 is rare, the gcc warning looks wrong? And strscpy will never > > fail? > > The gcc warning is definitely wrong, the target data size is verified > previously. But I suppose gcc cannot figure it out, so better silence the > warning. strscpy() may return an error code which is checked and passed > back. Thanks, I have also applied this to nf-next.
Hi Pablo, Please consider to pull the next patches for nf-next: - Replace a strncpy() with strscpy() from Qian Cai. - Do not call ipset_nest_end() after nla_nest_cancel() in the error path in list_set_list() from Pan Bian. - Introduction of new commands and thus protocol version 7. The new commands makes possible to eliminate the getsockopt interface of ipset and use solely netlink to communicate with the kernel. Due to the strict attribute checking both in user/kernel space, a new protocol number was introduced. Both the kernel/userspace is fully backward compatible. The "fix ip_set_byindex function" patch in the ipset git tree from Florent Fourcot is merged into the patch. - Make invalid MAC address checks consisten, from Stefano Brivio. The patch depends on the next one. - Allow matching on destination MAC address for mac and ipmac sets, also from Stefano Brivio. Best regards, Jozsef The following changes since commit 30beabb3c32122d533ce0e2fc712f9d720a82f9f: net: phy: marvell: remove set but not used variable 'pause' (2018-11-11 18:19:50 -0800) are available in the git repository at: git://blackhole.kfki.hu/nf-next c8770d8908fd for you to fetch changes up to c8770d8908fd5a5abc5061f5c57d55593ba86d8b: netfilter: ipset: replace a strncpy() with strscpy() (2018-12-10 14:12:50 +0100) ---------------------------------------------------------------- Jozsef Kadlecsik (1): netfilter: ipset: Introduction of new commands and protocol version 7 Pan Bian (1): netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel Qian Cai (1): netfilter: ipset: replace a strncpy() with strscpy() Stefano Brivio (2): netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets netfilter: ipset: Make invalid MAC address checks consistent include/linux/netfilter/ipset/ip_set.h | 2 +- include/uapi/linux/netfilter/ipset/ip_set.h | 19 ++-- net/netfilter/ipset/ip_set_bitmap_ipmac.c | 13 ++- net/netfilter/ipset/ip_set_core.c | 170 ++++++++++++++++++++++++---- net/netfilter/ipset/ip_set_hash_ipmac.c | 27 ++--- net/netfilter/ipset/ip_set_hash_mac.c | 10 +- net/netfilter/ipset/ip_set_list_set.c | 2 +- 7 files changed, 192 insertions(+), 51 deletions(-)