Hi Jozsef, On Thu, Dec 13, 2018 at 01:57:57PM +0100, Jozsef Kadlecsik wrote: > Hi Pablo, > > On Thu, 13 Dec 2018, Pablo Neira Ayuso wrote: > > > On Mon, Dec 10, 2018 at 02:39:33PM +0100, Jozsef Kadlecsik wrote: > > > > > > Please consider to pull the next patches for nf-next: > > > > > > - Replace a strncpy() with strscpy() from Qian Cai. > > > - Do not call ipset_nest_end() after nla_nest_cancel() in the error > > > path in list_set_list() from Pan Bian. > > > - Introduction of new commands and thus protocol version 7. The > > > new commands makes possible to eliminate the getsockopt interface > > > of ipset and use solely netlink to communicate with the kernel. > > > Due to the strict attribute checking both in user/kernel space, > > > a new protocol number was introduced. Both the kernel/userspace is > > > fully backward compatible. The "fix ip_set_byindex function" patch > > > in the ipset git tree from Florent Fourcot is merged into the patch. > > > - Make invalid MAC address checks consisten, from Stefano Brivio. > > > The patch depends on the next one. > > > - Allow matching on destination MAC address for mac and ipmac sets, > > > also from Stefano Brivio. > > > > Hm, I think I got you confused when discussing this pull-request. > > Patches 1-3 are already in the nf-next tree. I'm telling this because > > I thought the fix from Florent was only in your tree, but it is > > already here in nf-next git. > > > > I think we need the independent fix from Florent Fourcout, as an > > independent patch for nf-next. If Florent's patch in in patchwork, > > please pass me the link and I'll take it from there. > > Yes, that confused me and better apply the independent patch from Florent > Fourcout. It can be found here (not patchwork, though): > https://marc.info/?l=netfilter-devel&m=154333572628311&w=2 Sorry for the confusion. Patch is applied. > > Patch 5/5 is rare, the gcc warning looks wrong? And strscpy will never > > fail? > > The gcc warning is definitely wrong, the target data size is verified > previously. But I suppose gcc cannot figure it out, so better silence the > warning. strscpy() may return an error code which is checked and passed > back. Thanks, I have also applied this to nf-next.
