Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. Re: [PATCH v2 6/6] firewall-nftables: Add nftable support for
firewall (Daniel Wagner)
2. Re: [PATCH v2 6/6] firewall-nftables: Add nftable support for
firewall (Dragos Tatulea)
3. Re: [PATCH v2 6/6] firewall-nftables: Add nftable support for
firewall (Daniel Wagner)
4. Re: [PATCH] dhcp: Set link MTU if available (Andreas Smas)
----------------------------------------------------------------------
Message: 1
Date: Tue, 26 Apr 2016 11:05:10 +0200
From: Daniel Wagner <[email protected]>
To: Dragos Tatulea <[email protected]>, [email protected]
Subject: Re: [PATCH v2 6/6] firewall-nftables: Add nftable support for
firewall
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
Hi Dragos
On 04/26/2016 10:37 AM, Dragos Tatulea wrote:
> On 04/22/2016 02:34 PM, Daniel Wagner wrote:
>> From: Daniel Wagner <[email protected]>
[...]
>> +static int create_table_and_chains(struct nftables_info *nft_info)
>> +{
>> + struct mnl_socket *nl;
>> + struct nftnl_table *table;
>> + struct nftnl_chain *chain;
>> + int err;
>> +
>> +
>> + DBG("");
>> +
>> + err = socket_open_and_bind(&nl);
>> + if (err < 0)
>> + return err;
>> +
>> + /*
>> + * Add table
>> + * http://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
>> + */
>> +
>> + /*
>> + * # nft add table connman
>> + */
>> + table = build_table(CONNMAN_TABLE, NFPROTO_IPV4);
>> + if (!table) {
>> + err = -ENOMEM;
>> + goto out;
>> + }
>> +
>> + err = table_cmd(nl, table, NFT_MSG_NEWTABLE, NFPROTO_IPV4,
>> NLM_F_ACK);
>> + if (err < 0)
>> + goto out;
>> +
>> + /*
>> + * Add basic chains
>> + * http://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
>> + */
>> +
>> + /*
>> + * # nft add chain connman nat-prerouting \
>> + * { type nat hook prerouting priortiy 0 ; }
>> + */
>> + chain = build_chain(CONNMAN_CHAIN_NAT_PRE, CONNMAN_TABLE,
>> + "nat", NF_INET_PRE_ROUTING, 0);
>> + if (!chain) {
>> + err = -ENOMEM;
>> + goto out;
>> + }
>> +
>> + nft_info->nat.chain = CONNMAN_CHAIN_NAT_PRE;
>> + err = chain_cmd(nl, chain, NFT_MSG_NEWCHAIN, NFPROTO_IPV4, NLM_F_ACK,
>> + CALLBACK_RETURN_HANDLE, &nft_info->nat.handle);
>> + if (err < 0)
>> + goto out;
>> +
>> + /*
>> + * # nft add chain connman nat-postrouting \
>> + * { type nat hook postrouting priortiy 0 ; }
>> + */
>> + chain = build_chain(CONNMAN_CHAIN_NAT_POST, CONNMAN_TABLE,
>> + "nat", NF_INET_POST_ROUTING, 0);
>> + if (!chain) {
>> + err = -ENOMEM;
>> + goto out;
>> + }
>> +
>> + nft_info->nat.chain = CONNMAN_CHAIN_NAT_POST;
>> + err = chain_cmd(nl, chain, NFT_MSG_NEWCHAIN, NFPROTO_IPV4, NLM_F_ACK,
>> + CALLBACK_RETURN_HANDLE, &nft_info->nat.handle);
> This returns ENOENT for me (4.4.6 kernel, libnftnl-1.0.5).
The kernel function nf_tables_newchain() does return a couple of
ENOENT. Most of error codes are something different. Since there several
places where the function returns ENOENT it is not easy to say what's wrong.
Hmm, does the connman table exists? see nf_tables_table_lookup().
BTW, do have iptables still enabled? On my system both iptables and
nftables are enabled. Just wondering if that might be a problem.
>> + /*
>> + * EAFNOSUPPORT is return whenever the nf_tables_ipv4 hasn't been
>> + * loaded yet. ENOENT is return in case the table is missing.
>> + */
>> + err = cleanup_table_and_chains();
>> + if (err < 0 && (err != EAFNOSUPPORT || err != -ENOENT))
> This doesn't work. Changed it to:
> if (err < 0 && (err != -EAFNOSUPPORT && err != -ENOENT)
D'oh. Stupid me.
cheers,
daniel
------------------------------
Message: 2
Date: Tue, 26 Apr 2016 11:14:53 +0200
From: Dragos Tatulea <[email protected]>
To: Daniel Wagner <[email protected]>, [email protected]
Subject: Re: [PATCH v2 6/6] firewall-nftables: Add nftable support for
firewall
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
Hi Daniel,
On 04/26/2016 11:05 AM, Daniel Wagner wrote:
> Hi Dragos
>
> On 04/26/2016 10:37 AM, Dragos Tatulea wrote:
>> On 04/22/2016 02:34 PM, Daniel Wagner wrote:
>>> From: Daniel Wagner <[email protected]>
>
> [...]
>
>>> +static int create_table_and_chains(struct nftables_info *nft_info)
>>> +{
>>> + struct mnl_socket *nl;
>>> + struct nftnl_table *table;
>>> + struct nftnl_chain *chain;
>>> + int err;
>>> +
>>> +
>>> + DBG("");
>>> +
>>> + err = socket_open_and_bind(&nl);
>>> + if (err < 0)
>>> + return err;
>>> +
>>> + /*
>>> + * Add table
>>> + * http://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
>>> + */
>>> +
>>> + /*
>>> + * # nft add table connman
>>> + */
>>> + table = build_table(CONNMAN_TABLE, NFPROTO_IPV4);
>>> + if (!table) {
>>> + err = -ENOMEM;
>>> + goto out;
>>> + }
>>> +
>>> + err = table_cmd(nl, table, NFT_MSG_NEWTABLE, NFPROTO_IPV4,
>>> NLM_F_ACK);
>>> + if (err < 0)
>>> + goto out;
>>> +
>>> + /*
>>> + * Add basic chains
>>> + * http://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
>>> + */
>>> +
>>> + /*
>>> + * # nft add chain connman nat-prerouting \
>>> + * { type nat hook prerouting priortiy 0 ; }
>>> + */
>>> + chain = build_chain(CONNMAN_CHAIN_NAT_PRE, CONNMAN_TABLE,
>>> + "nat", NF_INET_PRE_ROUTING, 0);
>>> + if (!chain) {
>>> + err = -ENOMEM;
>>> + goto out;
>>> + }
>>> +
>>> + nft_info->nat.chain = CONNMAN_CHAIN_NAT_PRE;
>>> + err = chain_cmd(nl, chain, NFT_MSG_NEWCHAIN, NFPROTO_IPV4, NLM_F_ACK,
>>> + CALLBACK_RETURN_HANDLE, &nft_info->nat.handle);
>>> + if (err < 0)
>>> + goto out;
>>> +
>>> + /*
>>> + * # nft add chain connman nat-postrouting \
>>> + * { type nat hook postrouting priortiy 0 ; }
>>> + */
>>> + chain = build_chain(CONNMAN_CHAIN_NAT_POST, CONNMAN_TABLE,
>>> + "nat", NF_INET_POST_ROUTING, 0);
>>> + if (!chain) {
>>> + err = -ENOMEM;
>>> + goto out;
>>> + }
>>> +
>>> + nft_info->nat.chain = CONNMAN_CHAIN_NAT_POST;
>>> + err = chain_cmd(nl, chain, NFT_MSG_NEWCHAIN, NFPROTO_IPV4, NLM_F_ACK,
>>> + CALLBACK_RETURN_HANDLE, &nft_info->nat.handle);
>> This returns ENOENT for me (4.4.6 kernel, libnftnl-1.0.5).
>
> The kernel function nf_tables_newchain() does return a couple of
> ENOENT. Most of error codes are something different. Since there several
> places where the function returns ENOENT it is not easy to say what's wrong.
>
The required modules can't be loaded. The nftables tool can load them.
Any clue why?
> Hmm, does the connman table exists? see nf_tables_table_lookup().
>
It exists (after doing the fix mentioned before).
> BTW, do have iptables still enabled? On my system both iptables and
> nftables are enabled. Just wondering if that might be a problem.
>
You mean system wide? iptables is also enabled.
Thanks,
Dragos
------------------------------
Message: 3
Date: Tue, 26 Apr 2016 11:24:22 +0200
From: Daniel Wagner <[email protected]>
To: Dragos Tatulea <[email protected]>
Cc: [email protected]
Subject: Re: [PATCH v2 6/6] firewall-nftables: Add nftable support for
firewall
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
On 04/26/2016 11:14 AM, Dragos Tatulea wrote:
> On 04/26/2016 11:05 AM, Daniel Wagner wrote:
>> On 04/26/2016 10:37 AM, Dragos Tatulea wrote:
>>> On 04/22/2016 02:34 PM, Daniel Wagner wrote:
>>>> From: Daniel Wagner <[email protected]>
>>
>> [...]
>>
>>>> +static int create_table_and_chains(struct nftables_info *nft_info)
>>>> +{
>>>> + struct mnl_socket *nl;
>>>> + struct nftnl_table *table;
>>>> + struct nftnl_chain *chain;
>>>> + int err;
>>>> +
>>>> +
>>>> + DBG("");
>>>> +
>>>> + err = socket_open_and_bind(&nl);
>>>> + if (err < 0)
>>>> + return err;
>>>> +
>>>> + /*
>>>> + * Add table
>>>> + * http://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
>>>> + */
>>>> +
>>>> + /*
>>>> + * # nft add table connman
>>>> + */
>>>> + table = build_table(CONNMAN_TABLE, NFPROTO_IPV4);
>>>> + if (!table) {
>>>> + err = -ENOMEM;
>>>> + goto out;
>>>> + }
>>>> +
>>>> + err = table_cmd(nl, table, NFT_MSG_NEWTABLE, NFPROTO_IPV4,
>>>> NLM_F_ACK);
>>>> + if (err < 0)
>>>> + goto out;
>>>> +
>>>> + /*
>>>> + * Add basic chains
>>>> + * http://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
>>>> + */
>>>> +
>>>> + /*
>>>> + * # nft add chain connman nat-prerouting \
>>>> + * { type nat hook prerouting priortiy 0 ; }
>>>> + */
>>>> + chain = build_chain(CONNMAN_CHAIN_NAT_PRE, CONNMAN_TABLE,
>>>> + "nat", NF_INET_PRE_ROUTING, 0);
>>>> + if (!chain) {
>>>> + err = -ENOMEM;
>>>> + goto out;
>>>> + }
>>>> +
>>>> + nft_info->nat.chain = CONNMAN_CHAIN_NAT_PRE;
>>>> + err = chain_cmd(nl, chain, NFT_MSG_NEWCHAIN, NFPROTO_IPV4, NLM_F_ACK,
>>>> + CALLBACK_RETURN_HANDLE, &nft_info->nat.handle);
>>>> + if (err < 0)
>>>> + goto out;
>>>> +
>>>> + /*
>>>> + * # nft add chain connman nat-postrouting \
>>>> + * { type nat hook postrouting priortiy 0 ; }
>>>> + */
>>>> + chain = build_chain(CONNMAN_CHAIN_NAT_POST, CONNMAN_TABLE,
>>>> + "nat", NF_INET_POST_ROUTING, 0);
>>>> + if (!chain) {
>>>> + err = -ENOMEM;
>>>> + goto out;
>>>> + }
>>>> +
>>>> + nft_info->nat.chain = CONNMAN_CHAIN_NAT_POST;
>>>> + err = chain_cmd(nl, chain, NFT_MSG_NEWCHAIN, NFPROTO_IPV4, NLM_F_ACK,
>>>> + CALLBACK_RETURN_HANDLE, &nft_info->nat.handle);
>>> This returns ENOENT for me (4.4.6 kernel, libnftnl-1.0.5).
>>
>> The kernel function nf_tables_newchain() does return a couple of
>> ENOENT. Most of error codes are something different. Since there several
>> places where the function returns ENOENT it is not easy to say what's wrong.
>>
> The required modules can't be loaded. The nftables tool can load them.
> Any clue why?
Which module is missing? I would have expected the first new chain would
already fail. CONFIG_MODULES should be all you need if I read it correctly.
>> Hmm, does the connman table exists? see nf_tables_table_lookup().
>>
> It exists (after doing the fix mentioned before).
Okay, so that isn't the issue. Was just a wild guess :)
>> BTW, do have iptables still enabled? On my system both iptables and
>> nftables are enabled. Just wondering if that might be a problem.
>>
> You mean system wide? iptables is also enabled.
That matches my configuration, so we can rule out a problem there.
cheers,
daniel
------------------------------
Message: 4
Date: Tue, 26 Apr 2016 18:20:50 +0200
From: Andreas Smas <[email protected]>
To: Patrik Flykt <[email protected]>
Cc: [email protected]
Subject: Re: [PATCH] dhcp: Set link MTU if available
Message-ID:
<CAObFT-SK_Gmf-nZbNieKyRANMWzFyAOBEBa1RpeY=p5djoc...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Wed, Mar 30, 2016 at 1:07 PM, Patrik Flykt <[email protected]>
wrote:
> Request DHCP Interface MTU option from the DHCP server and set the
> MTU if it is between the minimum required for IPv6 and the maximum
> for ethernet networks.
>
> Reported by auto.
> ---
>
> Please test,
>
A little late to the party, but one my users (I think the person reporting
the issue on IRC) have tested this and it's working just fine!
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.01.org/pipermail/connman/attachments/20160426/6f893537/attachment-0001.html>
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 6, Issue 20
**************************************
