From: Liping Zhang
For examples:
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0
nft add rule ip filter OUTPUT counter meta priority set none
# iptables-translate -A OUTPUT -j CLASSIFY --set-class :
nft add rule ip filter OUTPUT counter meta priority set root
# iptabl
Fixes the following sparse warning:
net/netfilter/nft_hash.c:40:25: warning:
symbol 'nft_hash_policy' was not declared. Should it be static?
Signed-off-by: Wei Yongjun
---
net/netfilter/nft_hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_hash.c b/ne
From: Liping Zhang
After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
NULL pointer dereference at ...
IP: [] nf_send_reset+0xaf/0x400
Call Trace:
[] ? nf_reject_ip_tcphdr_get+0x160/0x160
[] nft_reject_ipv4_eval+0x61/0xb0
This patch adds a cache of rules within the nft handle. This feature is
more useful after the new checks of ruleset compatibility, since the
rule list is loaded twice consecutively.
Now all the operations causing changes in the ruleset must invalidate
the cache, a function called flush_rule_cache
This patch adds a verification of the compatibility between the nft
ruleset and iptables. If the nft ruleset is not compatible with
iptables, the execution stops and an error message is displayed to the
user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed
The static function nft_rule_list_get was exposed outside nft.c through
the nft_rule_list_create function, but this was never used out there.
A similar situation occurs with nftnl_rule_list_free and
nft_rule_list_destroy.
This patch removes nft_rule_list_create and nft_rule_list_destroy for
the s
On 21 August 2016 at 20:10, Pablo M. Bermudo Garay wrote:
> This patch adds a verification of the compatibility between the nft
> ruleset and iptables. If the nft ruleset is not compatible with
> iptables, the execution stops and an error message is displayed to the
> user.
>
> This checking is tr
This patch introduces deletion in a similar fashion as in iptables, thus,
we can delete the first rule that matches our description, for example:
$ nft list -a ruleset
table ip t {
chain c {
ip saddr 1.1.1.1 counter packets 0 bytes 0 # handle
This patch separates the rule identification from the rule localization, so
the logic moves from the evaluator to the parser. This allows to revert the
patch "evaluate: improve rule managment checks"
(4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code.
Signed-off-by: Carlos Falguera
Shows a more informative message when user commits a syntax error:
$ nft add rule t c handle 3 ...
:1:14-19: Error: Did you mean `position'?
add rule t c handle 3 ...
^^
$ nft delete rule t c position 3 ...
:1:17-24: Error: Did you m
They checks if commands like "nft delete rule "
works as is expected.
First one checks if command deletes only one of the matched rules.
Second one checks if command fails when rule did not found.
Signed-off-by: Carlos Falgueras García
---
.../testcases/rule_management/0010delete-by-desc_0 |
On Fri, 2016-08-19 at 18:04 +0200, Florian Westphal wrote:
> Eric Dumazet wrote:
> > On Fri, 2016-08-19 at 17:16 +0200, Florian Westphal wrote:
> >
> > > Hmm, nf_conntrack_find caller needs to hold rcu_read_lock,
> > > in case object is free'd SLAB_DESTROY_BY_RCU should delay actual release
>
12 matches
Mail list logo