iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net/netfilter
History
Pablo Neira Ayuso 931401137f netfilter: nfnetlink_queue: honor NFQA_CFG_F_FAIL_OPEN when netlink unicast fails 
When netlink unicast fails to deliver the message to userspace, we
should also check if the NFQA_CFG_F_FAIL_OPEN flag is set so we reinject
the packet back to the stack.

I think the user expects no packet drops when this flag is set due to
queueing to userspace errors, no matter if related to the internal queue
or when sending the netlink message to userspace.

The userspace application will still get the ENOBUFS error via recvmsg()
so the user still knows that, with the current configuration that is in
place, the userspace application is not consuming the messages at the
pace that the kernel needs.

Reported-by: "Yigal Reiss (yreiss)" <yreiss@cisco.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: "Yigal Reiss (yreiss)" <yreiss@cisco.com>
2016-03-28 17:59:20 +02:00
..
ipset
netfilter: ipset: fix race condition in ipset save, swap and delete
2016-03-28 17:57:45 +02:00
ipvs
Merge tag 'ipvs-fixes-for-v4.5' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs
2016-03-11 11:37:35 +01:00
core.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-10-24 06:54:12 -07:00
Kconfig
netfilter: tee: select NF_DUP_IPV6 unconditionally
2016-02-08 12:58:28 +01:00
Makefile
netfilter: nf_tables: add forward expression to the netdev family
2016-01-04 17:48:38 +01:00
nf_conntrack_acct.c
netfilter: Remove uses of seq_<foo> return values
2015-03-18 10:51:35 +01:00
nf_conntrack_amanda.c
net: Remove state argument from skb_find_text()
2015-02-22 15:59:54 -05:00
nf_conntrack_broadcast.c
nf_conntrack_core.c
netfilter: nf_conntrack: consolidate lock/unlock into unlock_wait
2016-03-15 01:10:42 +01:00
nf_conntrack_ecache.c
netfilter: conntrack: remove timer from ecache extension
2014-06-25 19:15:38 +02:00
nf_conntrack_expect.c
netfilter: Set /proc/net entries owner to root in namespace
2015-11-25 13:54:09 +01:00
nf_conntrack_extend.c
nf_conntrack_ftp.c
netfilter: nf_ct_helper: define pr_fmt()
2016-01-04 17:48:51 +01:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c
ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST
2015-05-25 13:25:33 -04:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c
netfilter: nf_conntrack: use safer way to lock all buckets
2016-01-20 14:15:31 +01:00
nf_conntrack_irc.c
netfilter: nf_ct_helper: define pr_fmt()
2016-01-04 17:48:51 +01:00
nf_conntrack_l3proto_generic.c
netfilter: Convert print_tuple functions to return void
2014-11-05 14:10:33 -05:00
nf_conntrack_labels.c
netfilter: connlabels: Export setting connlabel length
2015-08-27 11:40:43 -07:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c
netfilter: nf_conntrack: use safer way to lock all buckets
2016-01-20 14:15:31 +01:00
nf_conntrack_pptp.c
netfilter: nf_conntrack: push zone object into functions
2015-08-11 12:29:01 +02:00
nf_conntrack_proto_dccp.c
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
2015-09-18 22:00:04 +02:00
nf_conntrack_proto_generic.c
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
2015-09-18 22:00:04 +02:00
nf_conntrack_proto_gre.c
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
2015-09-18 22:00:04 +02:00
nf_conntrack_proto_sctp.c
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
2015-09-18 22:00:04 +02:00
nf_conntrack_proto_tcp.c
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
2015-09-18 22:00:04 +02:00
nf_conntrack_proto_udp.c
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
2015-09-18 22:00:04 +02:00
nf_conntrack_proto_udplite.c
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
2015-09-18 22:00:04 +02:00
nf_conntrack_proto.c
nf_conntrack_sane.c
netfilter: nf_ct_helper: define pr_fmt()
2016-01-04 17:48:51 +01:00
nf_conntrack_seqadj.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
nf_conntrack_sip.c
netfilter: nf_ct_helper: define pr_fmt()
2016-01-04 17:48:51 +01:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c
netfilter: Set /proc/net entries owner to root in namespace
2015-11-25 13:54:09 +01:00
nf_conntrack_tftp.c
netfilter: nf_ct_helper: define pr_fmt()
2016-01-04 17:48:51 +01:00
nf_conntrack_timeout.c
netfilter: cttimeout: add netns support
2015-12-14 12:48:58 +01:00
nf_conntrack_timestamp.c
nf_dup_netdev.c
net: remove skb_sender_cpu_clear()
2016-03-01 17:36:47 -05:00
nf_internals.h
netfilter: nf_queue: fix nf_queue_nf_hook_drop()
2015-07-23 16:17:58 +02:00
nf_log_common.c
netfilter: bridge: add helpers for fetching physin/outdev
2015-04-08 16:49:08 +02:00
nf_log.c
netfilter: nf_log: wait for rcu grace after logger unregistration
2015-09-17 13:37:31 +02:00
nf_nat_amanda.c
nf_nat_core.c
netfilter: Pass net into nf_xfrm_me_harder
2015-09-18 22:00:22 +02:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper
2014-01-06 14:17:17 +01:00
nf_nat_proto_common.c
netfilter: use IS_ENABLED() macro
2014-06-30 11:38:03 +02:00
nf_nat_proto_dccp.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
nf_nat_proto_sctp.c
netfilter: use IS_ENABLED() macro
2014-06-30 11:38:03 +02:00
nf_nat_proto_tcp.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
nf_nat_proto_udp.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
nf_nat_proto_udplite.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
nf_nat_proto_unknown.c
nf_nat_redirect.c
netfilter: nf_nat_redirect: add missing NULL pointer check
2015-10-27 06:54:56 +01:00
nf_nat_sip.c
netfilter: replace strnicmp with strncasecmp
2014-10-14 02:18:24 +02:00
nf_nat_tftp.c
nf_queue.c
netfilter: nf_queue: remove rcu_read_lock calls
2015-10-16 18:22:41 +02:00
nf_sockopt.c
netfilter: don't use mutex_lock_interruptible()
2014-08-08 16:47:23 +02:00
nf_synproxy_core.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2015-09-05 21:57:42 -07:00
nf_tables_api.c
netfilter: nf_tables: Add new attributes into nft_set to store user data.
2016-01-08 13:25:08 +01:00
nf_tables_core.c
netfilter: nf_tables: fix nf_log_trace based tracing
2015-12-09 16:53:46 +01:00
nf_tables_inet.c
netfilter: nf_tables: release objects on netns destruction
2015-12-28 18:34:35 +01:00
nf_tables_netdev.c
netfilter: nf_tables_netdev: fix error path in module initialization
2016-01-18 13:53:37 +01:00
nf_tables_trace.c
netfilter: nf_tables: wrap tracing with a static key
2015-12-09 13:23:13 +01:00
nfnetlink_acct.c
netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
2016-02-29 13:27:21 +01:00
nfnetlink_cthelper.c
netfilter: nfnetlink: pass down netns pointer to call() and call_rcu()
2015-12-28 18:41:41 +01:00
nfnetlink_cttimeout.c
netfilter: cttimeout: fix deadlock due to erroneous unlock/lock conversion
2016-02-01 00:15:28 +01:00
nfnetlink_log.c
nfnetlink: remove nfnetlink_alloc_skb
2016-02-18 11:42:19 -05:00
nfnetlink_queue.c
netfilter: nfnetlink_queue: honor NFQA_CFG_F_FAIL_OPEN when netlink unicast fails
2016-03-28 17:59:20 +02:00
nfnetlink.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-02-23 00:09:14 -05:00
nft_bitwise.c
netfilter: nf_tables: support variable sized data in nft_data_init()
2015-04-13 17:17:30 +02:00
nft_byteorder.c
netfilter: nft_byteorder: avoid unneeded le/be conversion steps
2016-01-13 14:02:59 +01:00
nft_cmp.c
netfilter: nf_tables: support variable sized data in nft_data_init()
2015-04-13 17:17:30 +02:00
nft_compat.c
netfilter: nft_compat: check match/targetinfo attr size
2016-03-11 11:37:56 +01:00
nft_counter.c
netfilter: nft_counter: fix erroneous return values
2016-02-08 13:05:02 +01:00
nft_ct.c
netfilter: nft_ct: keep counters away from CONFIG_NF_CONNTRACK_LABELS
2016-01-14 19:41:16 +01:00
nft_dup_netdev.c
netfilter: nf_tables: add packet duplication to the netdev family
2016-01-03 21:04:23 +01:00
nft_dynset.c
netfilter: nf_tables: add clone interface to expression operations
2015-11-10 23:47:32 +01:00
nft_exthdr.c
netfilter: nf_tables: switch registers to 32 bit addressing
2015-04-13 17:17:29 +02:00
nft_fwd_netdev.c
netfilter: nf_tables: add forward expression to the netdev family
2016-01-04 17:48:38 +01:00
nft_hash.c
netfilter: nf_tables: variable sized set element keys / data
2015-04-13 17:17:31 +02:00
nft_immediate.c
netfilter: nf_tables: support variable sized data in nft_data_init()
2015-04-13 17:17:30 +02:00
nft_limit.c
netfilter: nft_limit: allow to invert matching criteria
2016-01-03 20:58:52 +01:00
nft_log.c
netfilter: nf_tables: Use pkt->net instead of computing net from the passed net_devices
2015-09-18 21:58:49 +02:00
nft_lookup.c
netfilter: nf_tables: add flag to indicate set contains expressions
2015-04-13 20:12:32 +02:00
nft_masq.c
netfilter: nft_masq: support port range
2016-03-02 20:05:27 +01:00
nft_meta.c
netfilter: meta: add PRANDOM support
2016-02-29 13:55:59 +01:00
nft_nat.c
netfilter: nf_tables: switch registers to 32 bit addressing
2015-04-13 17:17:29 +02:00
nft_payload.c
netfilter: nft_payload: add packet mangling support
2015-11-25 13:54:51 +01:00
nft_queue.c
netfilter: nf_tables: kill nft_pktinfo.ops
2015-09-18 21:58:01 +02:00
nft_rbtree.c
netfilter: nf_tables: variable sized set element keys / data
2015-04-13 17:17:31 +02:00
nft_redir.c
netfilter: nf_tables: add register parsing/dumping helpers
2015-04-13 17:17:28 +02:00
nft_reject_inet.c
ipv4: Push struct net down into nf_send_reset
2015-09-29 20:21:31 +02:00
nft_reject.c
netfilter; Add some missing default cases to switch statements in nft_reject.
2015-04-27 13:20:34 -04:00
x_tables.c
netfilter: x_tables: check for size overflow
2016-03-12 11:55:01 +01:00
xt_addrtype.c
netfilter: x_tables: Use par->net instead of computing from the passed net devices
2015-09-18 21:58:25 +02:00
xt_AUDIT.c
netfilter: Convert uses of __constant_<foo> to <foo>
2014-03-13 14:13:19 +01:00
xt_bpf.c
net: filter: split 'struct sk_filter' into socket and bpf parts
2014-08-02 15:03:58 -07:00
xt_cgroup.c
netfilter: implement xt_cgroup cgroup2 path match
2015-12-14 20:34:55 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
net: use reciprocal_scale() helper
2014-08-23 12:21:21 -07:00
xt_comment.c
xt_connbytes.c
netfilter: Convert pr_warning to pr_warn
2014-09-10 12:40:10 -07:00
xt_connlabel.c
netfilter: connlabels: Export setting connlabel length
2015-08-27 11:40:43 -07:00
xt_connlimit.c
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
2015-09-18 22:00:04 +02:00
xt_connmark.c
xt_CONNSECMARK.c
xt_conntrack.c
xt_cpu.c
xt_CT.c
netfilter: cttimeout: add netns support
2015-12-14 12:48:58 +01:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
netfilter: fix various sparse warnings
2014-11-13 12:14:42 +01:00
xt_ecn.c
xt_esp.c
xt_hashlimit.c
netfilter: Remove checks of seq_printf() return values
2014-11-05 14:11:02 -05:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c
net: use reciprocal_scale() helper
2014-08-23 12:21:21 -07:00
xt_IDLETIMER.c
netfilter: IDLETIMER: fix lockdep warning
2015-07-13 17:23:25 +02:00
xt_ipcomp.c
netfilter: xt_ipcomp: Use ntohs to ease sparse warning
2014-02-19 11:41:25 +01:00
xt_iprange.c
xt_ipvs.c
ipvs: Pass ipvs into conn_out_get
2015-09-24 09:34:41 +09:00
xt_l2tp.c
netfilter: introduce l2tp match extension
2014-01-09 21:36:39 +01:00
xt_LED.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2014-08-05 18:46:26 -07:00
xt_length.c
xt_limit.c
xt_LOG.c
netfilter: x_tables: Use par->net instead of computing from the passed net devices
2015-09-18 21:58:25 +02:00
xt_mac.c
xt_mark.c
netfilter: xt_MARK: Add ARP support
2015-05-14 13:00:27 +02:00
xt_multiport.c
xt_nat.c
xt_NETMAP.c
xt_nfacct.c
netfilter: nfacct: per network namespace support
2015-08-07 11:50:56 +02:00
xt_NFLOG.c
netfilter: x_tables: Use par->net instead of computing from the passed net devices
2015-09-18 21:58:25 +02:00
xt_NFQUEUE.c
xt_osf.c
netfilter: xt_osf: remove unused variable
2016-02-29 13:59:43 +01:00
xt_owner.c
netfilter: xt_owner: use skb_to_full_sk() helper
2015-11-08 20:56:39 -05:00
xt_physdev.c
netfilter: physdev: use helpers
2015-04-08 16:49:09 +02:00
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_RATEEST.c
net: sched: make bstats per cpu and estimator RCU safe
2014-09-30 01:02:26 -04:00
xt_realm.c
xt_recent.c
netfilter: x_tables: Use par->net instead of computing from the passed net devices
2015-09-18 21:58:25 +02:00
xt_REDIRECT.c
netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module
2014-11-27 13:08:42 +01:00
xt_repldata.h
net: netfilter: LLVMLinux: vlais-netfilter
2014-06-07 11:44:39 -07:00
xt_sctp.c
xt_SECMARK.c
xt_set.c
netfilter: ipset: Fix coding styles reported by checkpatch.pl
2015-06-14 10:40:18 +02:00
xt_socket.c
inet: refactor inet[6]_lookup functions to take skb
2016-02-11 03:54:14 -05:00
xt_state.c
xt_statistic.c
net: replace macros net_random and net_srandom with direct calls to prandom
2014-01-14 15:15:25 -08:00
xt_string.c
net: Remove state argument from skb_find_text()
2015-02-22 15:59:54 -05:00
xt_tcpmss.c
xt_TCPMSS.c
netfilter: xt_TCPMSS: handle CHECKSUM_COMPLETE in tcpmss_tg6()
2016-01-18 12:18:17 +01:00
xt_TCPOPTSTRIP.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
xt_tcpudp.c
xt_TEE.c
netfilter: tee: select NF_DUP_IPV6 unconditionally
2016-02-08 12:58:28 +01:00
xt_time.c
xt_TPROXY.c
inet: refactor inet[6]_lookup functions to take skb
2016-02-11 03:54:14 -05:00
xt_TRACE.c
xt_u32.c