Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-24 Thread Peter Colberg 
On Thu, Nov 24, 2016 at 06:58:46PM +, Ben Hutchings wrote:
> > IIRC Ben said that the next upstream kernel being tagged as LTS will be 
> > the one included in Debian strech, so we’ll probably have 4.9… unless 
> > Greg KH changes his mind again. :D
> 
> Yes, exactly.

Thanks for clarifying.

There are worse things than 3 more years of iptables–ip6tables duality ;-).

Peter

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-24 Thread Ben Hutchings 
On Thu, 2016-11-24 at 13:44 +0100, Vincent Blut wrote:
> On Thu, Nov 24, 2016 at 08:46:27AM +0100, Arturo Borrero Gonzalez wrote:
> > > > On 24 November 2016 at 01:34, Peter Colberg  wrote:
> > > 
> > > While the nftables package in Debian stretch will support notrack, the
> > > corresponding kernel support was committed after the 4.9 merge window:
> > > 
> > > https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/net/netfilter/nft_ct.c?id=254432613c588640f8b8b5c3641a3c27bbe14688
> > > 
> > > Assuming 4.9 becomes the stretch kernel, could you backport the patch?
> > 
> > 
> > Debian stretch will include linux 4.10 [0], so no problem.
> > 
> > 
> > [0] https://lists.debian.org/debian-devel-announce/2016/03/msg0.html
> 
> Hi,
> 
> IIRC Ben said that the next upstream kernel being tagged as LTS will be 
> the one included in Debian strech, so we’ll probably have 4.9… unless 
> Greg KH changes his mind again. :D

Yes, exactly.

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought.
... I realized that a large part of my life from then on was going to
be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949



signature.asc
Description: This is a digitally signed message part

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-24 Thread Vincent Blut 

On Thu, Nov 24, 2016 at 08:46:27AM +0100, Arturo Borrero Gonzalez wrote:

On 24 November 2016 at 01:34, Peter Colberg  wrote:


While the nftables package in Debian stretch will support notrack, the
corresponding kernel support was committed after the 4.9 merge window:

https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/net/netfilter/nft_ct.c?id=254432613c588640f8b8b5c3641a3c27bbe14688

Assuming 4.9 becomes the stretch kernel, could you backport the patch?



Debian stretch will include linux 4.10 [0], so no problem.


[0] https://lists.debian.org/debian-devel-announce/2016/03/msg0.html


Hi,

IIRC Ben said that the next upstream kernel being tagged as LTS will be 
the one included in Debian strech, so we’ll probably have 4.9… unless 
Greg KH changes his mind again. :D


Cheers,
Vincent


signature.asc
Description: PGP signature

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-23 Thread Arturo Borrero Gonzalez 
On 24 November 2016 at 01:34, Peter Colberg  wrote:
>
> While the nftables package in Debian stretch will support notrack, the
> corresponding kernel support was committed after the 4.9 merge window:
>
> https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/net/netfilter/nft_ct.c?id=254432613c588640f8b8b5c3641a3c27bbe14688
>
> Assuming 4.9 becomes the stretch kernel, could you backport the patch?


Debian stretch will include linux 4.10 [0], so no problem.


[0] https://lists.debian.org/debian-devel-announce/2016/03/msg0.html

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-23 Thread Peter Colberg 
On Thu, Nov 24, 2016 at 01:55:01AM +0100, Jens Reyer wrote:
> According to
> https://lists.debian.org/debian-devel-announce/2016/03/msg0.html it
> will be 4.10.

That would be great. After the recent announcement that 4.9 will
probably be the next LTS kernel I assumed that the same version
would also be shipped with stretch.

http://kroah.com/log/blog/2016/09/06/4-dot-9-equals-equals-next-lts-kernel/

Peter

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-23 Thread Peter Colberg 
On Wed, Nov 23, 2016 at 07:34:42PM -0500, Peter Colberg wrote:
> Assuming 4.9 becomes the stretch kernel, could you backport the patch?

The same applies to kernel support for the "fib" expression that may
be used for reverse path filtering (analogous to iptables rp_filter).

https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit?id=f6d0cbcf09c506b9b022df8f9d7693a7cec3c732

That patch is more extensive and there are many more commits needed to
sync nftables kernel support with userspace. Backporting does not make
much sense. I am crossing fingers for 4.10 making it into stretch.

Peter

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-23 Thread Jens Reyer 
On 24.11.2016 01:34, Peter Colberg wrote:
> Assuming 4.9 becomes the stretch kernel, could you backport the patch?

According to
https://lists.debian.org/debian-devel-announce/2016/03/msg0.html it
will be 4.10.

Greets
jre

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-23 Thread Peter Colberg 
Control: reassign -1 linux 4.9~rc5-1~exp1

Dear Maintainer,

nftables recently added support for a notrack target, which is used to
disable connection tracking for selected packets, e.g., on a web server.

http://git.netfilter.org/nftables/commit/?id=a84921d7c0de950632ab4630dd4f7ad763e9e453

While the nftables package in Debian stretch will support notrack, the
corresponding kernel support was committed after the 4.9 merge window:

https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/net/netfilter/nft_ct.c?id=254432613c588640f8b8b5c3641a3c27bbe14688

Assuming 4.9 becomes the stretch kernel, could you backport the patch?

Regards,
Peter

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-23 Thread Peter Colberg 
Control: tags -1 upstream

On Wed, Nov 23, 2016 at 06:34:06PM -0500, Peter Colberg wrote:
> The latest snapshot of nftables adds a notrack target that may
> be used to disable connection tracking for selected packets:

This is the corresponding patch for netfilter:

https://patchwork.ozlabs.org/patch/684684/

https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/netfilter/nft_ct.c

Looks like it has simply not been merged yet:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nft_ct.c

Peter

Bug#845500: nftables: notrack target fails with No such file or directory

2016-11-23 Thread Peter Colberg 
Package: nftables
Version: 0.6+snapshot20161117-2
Severity: normal

Dear Maintainer,

The latest snapshot of nftables adds a notrack target that may
be used to disable connection tracking for selected packets:

#!/usr/sbin/nft -f

flush ruleset

table inet raw {
chain prerouting {
type filter hook prerouting priority -300;
iif lo notrack
}
chain output {
type filter hook output priority -300;
oif lo notrack
}
}

table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related,untracked accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}


Loading the above ruleset fails with

# /etc/nftables.conf 
/etc/nftables.conf:5:1-2: Error: Could not process rule: No such file or 
directory
table inet raw {
^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: No such file or 
directory
table inet raw {
^^

I tried both linux-image-4.8.0-1-amd64 and linux-image-4.9.0-rc5-amd64-unsigned.

Regards,
Peter