search for: nf_accept

...gt;hook(hook, skb, indev, outdev, okfn)) { - case NF_QUEUE: - return NF_QUEUE; - - case NF_STOLEN: - return NF_STOLEN; - - case NF_DROP: - return NF_DROP; - - case NF_REPEAT: - *i = (*i)->prev; - break; - + verdict = elem->hook(hook, skb, indev, outdev, okfn); + if (verdict != NF_ACCEPT) { #ifdef CONFIG_NETFILTER_DEBUG - case NF_ACCEPT: - break; - - default: - NFDEBUG("Evil return from %p(%u).\n", - elem->hook, hook); + if (unlikely(verdict > NF_MAX_VERDICT)) { + NFDEBUG("Evil return from %p(%u).\n", + elem->hook, hook); +...

On Fri, 07 Jan 2005 17:05:59 +0000 David Woodhouse <dwmw2@infradead.org> wrote: > On Sat, 2004-12-18 at 08:50 +0100, Andi Kleen wrote: > > It's not really an oops, just a warning that stack space got quiet > > tight. > > > > The problem seems to be that the br netfilter code is nesting far too > > deeply and recursing several times. Looks like a design

...br_handle_frame_finish, 1); @@ -220,13 +247,20 @@ static unsigned int br_nf_pre_routing(un { struct iphdr *iph; __u32 len; - struct sk_buff *skb; + struct sk_buff *skb = *pskb; struct nf_bridge_info *nf_bridge; - if ((*pskb)->protocol != __constant_htons(ETH_P_IP)) - return NF_ACCEPT; - - if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL) + if (skb->protocol != __constant_htons(ETH_P_IP)) { + struct vlan_ethhdr *hdr = (struct vlan_ethhdr *) + ((*pskb)->mac.ethernet); + + if (!IS_VLAN_IP) + return NF_ACCEPT; + if ((skb = skb_share_check(*pskb, GFP_ATOMIC))...

...accurate and robust. The following code describes the core functionality of the application: #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <netinet/in.h> #include <linux/types.h> #include <linux/netfilter.h> /* for NF_ACCEPT */ #include <errno.h> #include <libnetfilter_queue/libnetfilter_queue.h> #define PREROUTING 0 #define POSTROUTING 4 #define OUTPUT 3 /* returns packet id */ static u_int32_t print_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg...

...printk("[%s]", skb->dev->name); if (has_bridge_parent(skb->dev)) printk("[%s]", bridge_parent(skb->dev)->name); } printk("\n"); return NF_ACCEPT; } And in the new bridge-nf version it is annouced this sould not happen anymore. I think I should upgrade the kernel. But I'm curious on the problem and I wish I could know what kind of packets caused such a problem. Thanks for help. Please cc. Regards, Zheng chuanb...

..., or course, that stops working. I've poked around a bit and this section of nf_net_standalone.c appears to be the culprit: 120: /* Don't try to NAT if this packet is not conntracked */ 121: if (ct == &nf_conntrack_untracked) 122: return NF_ACCEPT; 123: 124: nat = nfct_nat(ct); -> 125: if (!nat) -> 126: return NF_DROP; If I read this correctly, packets for connections which aren't tracked at all are accepted, but packets for connections which are being tracked don't have NAT inf...

...|FIXED ------- Additional Comments From kaber@trash.net 2007-01-09 14:49 MET ------- I agree, I was already thinking about this, but came to no conclusion. I've queued up this patch for 2.6.20 .. well I can't seem to attach it, but I queued a patch which changes this line to NF_ACCEPT. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.

...everity: normal Priority: P2 Component: ip_conntrack AssignedTo: laforge@netfilter.org ReportedBy: Bob.Halley@nominum.com Background Our application uses ip_queue in prerouting to divert DNS UDP packets to a userland daemon which inspects them and then issues a NF_ACCEPT or NF_DROP verdict back to the kernel. We found that if several packets with the same conntrack tuple, i.e. the same src addr, src port, dst addr, and dst port, arrive very close together, then only the first one accepted by our software actually makes it back out to the wire; the others are silen...

...sponse and then pass the result back to ebtable code. Everything seemed to be working fine until i encountered locking issues. In the ebt_do_table code there is a "read_lock_bh" is used. When i try to wait inside this code path after sending info to my userspace tool and before returning NF_ACCEPT or NF_DROP, either the CPU hangs or i get an error "schedule while atomic". I tried out different methods for waiting like "wait_event_timeout" or busy while loop etc. The problem that I understood is that since read_lock_bh disables CPU preemption and do "local_bh_disable...

...ets. Found memory leaks. Then we built a kernel module to filter traffic to queue 0, and libnetfilter_queue is used to do the same. Still found memory leaks. We also did another testing: in the kernel module, we do some condition check to all the packets, no matter pass or not simply "return NF_ACCEPT". In this test, libnetfilter_queue is not involved. Still found memory leaks. Without the kernel module, there will be no memory leaks. kernel version: 4-14-131. platform: openwrt-18.06.4. Is it netfilter to complain or we missed something or did something incorrectly? Thanks in advance for...

...*/ int fd = 0; char pathname[50] ="/test/log/8.mail" ; set_fs(new_fs) ; fd = sys_open(pathname,O_WRONLY|O_CREAT,S_IRUSR|S_IWUSR); printk("fd is [%d]",fd); sys_write(fd,"Mail has develope sucesses , ",20) ; sys_close(fd); set_fs(old_fs) ; return NF_ACCEPT; } static struct nf_hook_ops iplimitfilter= { {NULL,NULL}, myfirewall, PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_FILTER }; int init_module(void) { mm_segment_t old_fs =get_fs() ; mm_segment_t new_fs =get_ds(); printk("The** old fs is [%lu]\n",old_fs.seg) ; printk("The** new...

...tuple)], &ct->tuplehash[IP_CT_DIR_ORIGINAL]); @@ -467,6 +464,7 @@ ct->timeout.expires +=3D jiffies; add_timer(&ct->timeout); atomic_inc(&ct->ct_general.use); + set_bit(IPS_CONFIRMED_BIT, &ct->status); WRITE_UNLOCK(&ip_conntrack_lock); return NF_ACCEPT; } @@ -585,7 +583,7 @@ connection. Too bad: we're in trouble anyway. */ static inline int unreplied(const struct ip_conntrack_tuple_hash *i) { - return !(i->ctrack->status & IPS_ASSURED); + return !(test_bit(IPS_ASSURED_BIT, &i->ctrack->status)); } =20 static int...

...ipv4/netfilter/ip_nat_core.c linux-2.4= .19-pre6-nf-01/net/ipv4/netfilter/ip_nat_core.c --- linux-2.4.19-pre6.orig/net/ipv4/netfilter/ip_nat_core.c Sun Apr 7 15:2= 7:29 2002 +++ linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ip_nat_core.c Fri Apr 12 00:= 52:31 2002 @@ -780,6 +780,18 @@ } else return NF_ACCEPT; } =20 +/* + * Decide whether to map inner header of an ICMP reply, including when + * we generate the reply ourselves. + */ +static inline int +map_innards(unsigned int maniphook, unsigned int hooknum) +{ + return (maniphook =3D=3D opposite_hook[hooknum] + || (hooknum =3D=3D NF_IP_LOCAL_O...

...n sync with arptables -L -n --line-numbers arptables-compat: remove save code refresh nf_tables.h cached copy iptables-compat: fix chain policy reset with iptables -L -n iptables-compat: statify unused built-in table/chain functions iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains iptables-compat: fix empty chains after first invocation of iptables-compat -L Merge branch 'ipset' nft: bootstrap ebtables-compat ebtables-compat: use ebtables_command_state in bootstrap code iptables: use flock() instead of abstr...