On Fri, Jul 22, 2016 at 12:59:15PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> It could simplify the codes without any side effect.
> The set_expect_timeout is used to modify the timer expired time.
> It tries to delete timer, and add it again.
> So we could use mod_timer
On Thu, Jul 21, 2016 at 05:26:47PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
Please, add description to your patches.
Cc'ing netfilter-de...@vger.kernel.org is sufficient for netfilter
patches unless you really want to attract attention from other netdev
developers, and
On Thu, Jul 21, 2016 at 06:45:53PM +0200, Pablo Neira Ayuso wrote:
> > diff --git a/net/netfilter/nf_conntrack_core.c
> > b/net/netfilter/nf_conntrack_core.c
> > index 153e33f..634d592 100644
> > --- a/net/netfilter/nf_conntrack_core.c
> > +++ b/net/netfilter/nf_co
This patch title is too long, no more than 80 chars.
On Thu, Jul 21, 2016 at 10:09:19PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
Please, include a description here.
> Signed-off-by: Gao Feng
More comments below.
> ---
> v1: Initial Version
>
>
This patch title is too long, no more than 80 chars please, when it
goes over that boundary it becomes a description ;)
More comments below.
On Thu, Jul 21, 2016 at 10:09:19PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> Signed-off-by: Gao Feng
> ---
>
On Wed, Jul 20, 2016 at 08:31:13AM +0800, 高峰 wrote:
> Thanks Pablo.
>
> I had used the script "checkpatch.pl" to check the patch file.
> There was no indentation error reported.
>
> So could you give me more tails please or point one indentation error?
> Then I could correct it by myself next
On Wed, Jul 20, 2016 at 09:02:52AM +0800, 高峰 wrote:
> Oh, thanks Liping.
> I have not found the extra port styles are different of irc, sane and tftp
> with ftp.
>
> Hi Pablo,
> Then should I modify the original patch or send a new one?
No need to resend, I have just sent an amendement that I'm
On Wed, Jul 20, 2016 at 08:51:17AM +0800, Liping Zhang wrote:
> 2016-07-18 11:39 GMT+08:00 :
> > From: Gao Feng
> >
> > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister
> > functions to enhance the conntrack helper codes.
>
> I think this patch
On Mon, Jul 18, 2016 at 11:39:23AM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister
> functions to enhance the conntrack helper codes.
Applied, thanks.
I have manually updated indentations to make it fit to our
On Tue, Jul 12, 2016 at 11:32:21AM -0400, Aaron Conole wrote:
> The netfilter hook list never uses the prev pointer, and so can be
> trimmed to be a smaller singly-linked list.
>
> In addition to having a more light weight structure for hook traversal,
> struct net becomes 5568 bytes (down from
On Tue, Jul 12, 2016 at 11:32:20AM -0400, Aaron Conole wrote:
> From: Florian Westphal
>
> This makes things simpler because we can store the head of the list
> in the nf_state structure without worrying about concurrent add/delete
> of hook elements from the list.
This is
On Tue, Jul 12, 2016 at 11:32:19AM -0400, Aaron Conole wrote:
> +/* recursively invokes nf_hook_slow (again), skipping already-called
> + * hooks (< NF_BR_PRI_BRNF).
> + *
> + * Called with rcu read lock held.
> + */
> +int br_nf_hook_thresh(unsigned int hook, struct net *net,
> +
netfilter: nft_ct: fix expiration getter
Liping Zhang (2):
netfilter: nf_tables: fix memory leak if expr init fails
netfilter: nft_meta: set skb->nf_trace appropriately
Pablo Neira Ayuso (2):
Merge tag 'ipvs-fixes2-for-v4.7' of https://git.kernel.org/.../horms/i
clash resolution on
insertion race")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Tested-by: Marc Dionne <marc.c.dio...@gmail.com>
---
net/netfilter/nf_conntrack_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_
From: Florian Westphal <f...@strlen.de>
Can overflow so we might allocate very small table when bucket count is
high on a 32bit platform.
Note: resize is only possible from init_netns.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa..
per-ct timer.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 8
net/netfilter/nft_ct.c | 6 +-
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/inc
Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2c88187..cf7c745 100644
-
From: Quentin Armitage
When using HEAD from
https://git.kernel.org/cgit/utils/kernel/ipvsadm/ipvsadm.git/,
the command:
ipvsadm --start-daemon backup --mcast-interface eth0.60 \
--mcast-group ff02::1:81
fails with the error message:
Argument list too long
whereas
From: Liping Zhang <liping.zh...@spreadtrum.com>
When user add a nft rule to set nftrace to zero, for example:
# nft add rule ip filter input nftrace set 0
We should set nf_trace to zero also.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Nei
On Mon, Jul 11, 2016 at 06:17:39PM -0300, Marc Dionne wrote:
> Hi Pablo,
>
> Testing out your patch:
>
> 1) With no NAT in place, the clash resolution happens, with no side
> effects. No EPERM errors are seen.
>
> 2) With ip(6)table_nat loaded, the clash resolution fails and I get
> some EPERM
back the EPERM errors that you've
observed so far.
Please, test both scenarios and report back. Thanks.
>From c3b9dfbcf35ea38a3dce22daf7450fc23c620aea Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pa...@netfilter.org>
Date: Mon, 11 Jul 2016 17:28:54 +0200
Subject: [PATCH] netf
On Sat, Jul 09, 2016 at 01:30:38AM +0200, Florian Westphal wrote:
> Aaron Conole wrote:
> > --- a/net/netfilter/core.c
> > +++ b/net/netfilter/core
> [..]
> > +#define nf_entry_dereference(e) \
> > + rcu_dereference_protected(e, lockdep_is_held(_hook_mutex))
> >
> >
On Thu, Jul 07, 2016 at 08:30:21PM +0200, Simon Horman wrote:
> Hi Pablo,
>
> please consider this IPVS fix for v4.7.
>
> The fix from Quentin Armitage allows the backup sync daemon to
> be bound to a link-local mcast IPv6 address as is already the case
> for IPv4.
>
> The following changes
On Thu, Jul 07, 2016 at 08:40:39PM +0200, Simon Horman wrote:
> Hi Pablo,
>
> please consider these enhancements to the IPVS. This alters the behaviour
> of the "least connection" schedulers such that pre-established connections
> are included in the active connection count. This avoids
On Wed, Jul 06, 2016 at 06:26:39PM -0400, Vishwanath Pai wrote:
> On 07/05/2016 04:13 PM, Vishwanath Pai wrote:
> > On 06/25/2016 05:39 AM, Pablo Neira Ayuso wrote:
> >> I see, but I'm not convinced about this /proc rename feature.
> >>
> >> I think the main poi
set->ops->deactivate() is invoked from nft_del_setelem() that happens
from the transaction path, so we have to check if the object is active
in the next generation, not the current.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_rbtree.c | 2 +-
1 fil
ate these macros into a single NF_INVF macro.
Miscellanea:
o Neaten the alignment around these uses
o A few lines are > 80 columns for intelligibility
Signed-off-by: Joe Perches <j...@perches.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/x
ect interferences
through the generation counter so it can restart the dumping.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 6 ++-
net/netfilter/nf_tables_api.c | 101 +-
2 files changed, 62 insertio
From: Moritz Sichert <moritz+li...@sichert.me>
This option was removed in commit 47dcf0cb1005 ("[NET]: Rethink mark field
in struct flowi").
Signed-off-by: Moritz Sichert <moritz+li...@sichert.me>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
From: Liping Zhang <liping.zh...@spreadtrum.com>
When we request NFPROTO_INET, it means both NFPROTO_IPV4 and NFPROTO_IPV6.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_log.c | 20 +++
Similar to ("netfilter: nf_tables: add generation mask to tables").
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 8 +++--
net/netfilter/nf_tables_api.c | 68 +++
net/netfilter/nft_dyns
<lixi...@cmss.chinamobile.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/x_tables.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index c69c892..8aff34e 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_t
t; /proc/sys/net/netfilter/nf_log/0
cat /proc/sys/net/netfilter/nf_log/0
nfnetlink_log
echo NONE > /proc/sys/net/netfilter/nf_log/0
cat /proc/sys/net/netfilter/nf_log/0
NONE
v2: add missed error check for proc_dostring
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.
om>
Acked-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/etherdevice.h | 23 +++
net/bridge/netfilter/ebt_arp.c | 17 +-
net/bridge/netfilter/ebt_stp.c | 49 ++---
_basechain() since they have no clients anymore after
this rework.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 1 -
net/netfilter/nf_tables_api.c | 62 ---
2 files changed, 25 insertions(+), 38 deletion
From: Florian Westphal <f...@strlen.de>
Those comparisions are useless in case of ZONES=n; all conntracks
will reside in the same zone by definition.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
inc
_BREAK
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 6 ++
net/netfilter/nft_lookup.c | 37 +++-
2 files changed,
Thus, we can reuse these to check the genmask of any object type, not
only rules. This is required now that tables, chain and sets will get a
generation mask field too in follow up patches.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.
emoves the zone conntrack extension.
The zone data is just 4 bytes, it fits into a padding hole before
the tuplehash info, so we do not even increase the nf_conn structure size.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
netfilter/nf_conntrack_buckets
done
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
Documentation/networking/nf_conntrack-sysctl.txt | 3 +-
include/net/netfilter/nf_conntrack.h | 1 +
net/netfilter/nf_conntrack_core.
No need for a special case to handle NF_INET_POST_ROUTING, this is
basically the same handling as for prerouting, input, forward.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/iptable_mangle.c | 4
net/ipv6/netfilter/ip6table_mangle.c | 4
2
--nflog-size now. --nflog-range would
still exist but does not do anything.
Reported-by: Joe Dollard <jdoll...@akamai.com>
Reviewed-by: Josh Hunt <joh...@akamai.com>
Signed-off-by: Vishwanath Pai <v...@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
From: Florian Westphal <f...@strlen.de>
The expectation table is not duplicated per net namespace anymore, so we can
move
the expectation table and conntrack table iteration out of the per-net loop.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Nei
Similar to ("netfilter: nf_tables: add generation mask to tables").
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4 +-
net/netfilter/nf_tables_api.c | 89 +--
2 files changed, 60 i
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_reject_ipv4.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c
b/net/ipv4/netfilter/nf_reject_ipv4.c
index b6ea57e..fd82202 100644
--- a/net/ipv4/netfilter/nf_reject_ipv
From: Florian Westphal <f...@strlen.de>
increases struct size by 32 bytes (288 -> 320), but it is the right thing,
else any attempt to (re-)arrange nf_conn members by cacheline won't work.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <p
This sequence is valid and may be triggered by robots. To resolve this
problem, allow deactivating elements that are active in the current
generation (ie. those that has been just added in this batch).
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_hash
anully. So we should add request related nf_log module
appropriately here.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_TRACE.c | 25 +
From: Tobin C Harding <m...@tobin.cc>
checkpatch produces data type 'checks'.
This patch amends them by changing, for example:
uint8_t -> u8
Signed-off-by: Tobin C Harding <m...@tobin.cc>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/net
rnekee <cerne...@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_owner.c | 41 +++--
1 file changed, 35 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 1
From: Shivani Bhardwaj <shivanib...@gmail.com>
If 'logger' was NULL, there would be a direct jump to the label 'out',
since it has already been checked for NULL, remove this unnecessary
check.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
Signed-off-by: Pablo Nei
handle NFPROTO_INET properly in
nf_logger_[find_get|put]
netfilter: xt_TRACE: add explicitly nf_logger_find_get call
netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP
Moritz Sichert (1):
netfilter: Remove references to obsolete CONFIG_IP_ROUTE_FWMARK
On Fri, Jul 01, 2016 at 04:53:54PM +0300, Pavel Tikhomirov wrote:
> It is hard to unbind nf-logger:
>
> echo NONE > /proc/sys/net/netfilter/nf_log/0
> bash: echo: write error: No such file or directory
>
> sysctl -w net.netfilter.nf_log.0=NONE
> sysctl: setting key
Hi,
On Mon, Jul 04, 2016 at 09:35:28AM -0300, Marc Dionne wrote:
> If there is no quick fix, seems like a revert should be considered:
> - Looks to me like the commit attempts to fix a long standing bug
> (exists at least as far back as 3.5,
> https://bugzilla.kernel.org/show_bug.cgi?id=52991)
>
the same
examples: fix display condition
examples: use mnl_socket_setsockopt
socket: creating a struct mnl_socket from a pre-existing socket
doc: minor fix
Markus Teich (1):
header: use sysconf() instead of getpagesize()
Pablo Neira Ayuso (18):
examples: add genl
On Fri, Jun 24, 2016 at 04:42:31PM -0400, Vishwanath Pai wrote:
> Added tests to libxt_NFLOG.t for the new option --nflog-size
>
> --
>
> netfilter/nflog: nflog-range does not truncate packets
>
> The option --nflog-range has never worked, but we cannot just fix this
> because users might be
On Tue, Jun 28, 2016 at 09:01:12AM -0400, David Miller wrote:
> From: Joe Perches
> Date: Fri, 24 Jun 2016 11:32:26 -0700
>
> > There are code duplications of a masked ethernet address comparison here
> > so make it a separate function instead.
> >
> > Miscellanea:
> >
> > o
Hi,
On Fri, Jun 24, 2016 at 02:24:18PM -0400, Vishwanath Pai wrote:
> On 06/23/2016 06:25 AM, Pablo Neira Ayuso wrote:
> > On Wed, Jun 01, 2016 at 08:17:59PM -0400, Vishwanath Pai wrote:
> >> libxt_hashlimit: iptables-restore does not work as expected with
> >>
On Fri, Jun 24, 2016 at 10:51:28AM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 23, 2016 at 12:00:00PM -0700, Joe Perches wrote:
> > On Thu, 2016-06-23 at 19:36 +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Jun 15, 2016 at 01:58:45PM -0700, Joe Perches wrote:
> > &g
On Thu, Jun 23, 2016 at 12:00:00PM -0700, Joe Perches wrote:
> On Thu, 2016-06-23 at 19:36 +0200, Pablo Neira Ayuso wrote:
> > On Wed, Jun 15, 2016 at 01:58:45PM -0700, Joe Perches wrote:
> > >
> > > There is code duplication of a masked ethernet address co
On Tue, Jun 21, 2016 at 03:02:16PM -0400, Vishwanath Pai wrote:
> netfilter/nflog: nflog-range does not truncate packets
>
> The option --nflog-range has never worked, but we cannot just fix this
> because users might be using this feature option and their behavior would
> change. Instead add a
On Wed, Jun 15, 2016 at 01:58:45PM -0700, Joe Perches wrote:
> There is code duplication of a masked ethernet address comparison here
> so make it a separate function instead.
>
> Miscellanea:
>
> o Neaten alignment of FWINV macro uses to make it clearer for the reader
Applied, thanks.
>
On Tue, Jun 21, 2016 at 02:58:46PM -0400, Vishwanath Pai wrote:
> netfilter/nflog: nflog-range does not truncate packets
>
> li->u.ulog.copy_len is currently ignored by the kernel, we should truncate
> the packet to either li->u.ulog.copy_len (if set) or copy_range before
> sending it to
On Wed, Jun 01, 2016 at 08:11:38PM -0400, Vishwanath Pai wrote:
> +static void
> +cfg_copy(struct hashlimit_cfg2 *to, void *from, int revision)
> +{
> + if (revision == 1) {
> + struct hashlimit_cfg1 *cfg = (struct hashlimit_cfg1 *)from;
> +
> + to->mode = cfg->mode;
>
Not specifically related to this patch.
It would be great if you can send us a patch to add new tests to
iptables/extensions/libxt_hashlimit.t for this new higher resolution
pps ratelimit.
Thanks!
On Wed, Jun 01, 2016 at 08:17:59PM -0400, Vishwanath Pai wrote:
> libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit
>
> Add the following iptables rule.
>
> $ iptables -A INPUT -m hashlimit --hashlimit-above 200/sec \
> --hashlimit-burst 5 --hashlimit-mode srcip
On Thu, Jun 02, 2016 at 10:59:56AM +0800, Xiubo Li wrote:
> Since we cannot make sure that the 'hook_mask' will always be none
> zero here. If it equals to zero, the num_hooks will be zero too,
> and then kmalloc() will return ZERO_SIZE_PTR, which is (void *)16.
>
> Then the following error check
<ka...@trash.net>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfil
estroy the set, which was already destroyed and
freed.
If we add a nft wrong rule, nft_tables_abort will do the cleanup
work rightly, so nf_tables_set_destroy call here is redundant and
wrong, remove it.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Nei
Matt Whitlock says:
Without this line, the file xt_SYNPROXY.h does not get installed in
/usr/include/linux/netfilter/, and thus user-space programs cannot make
use of it.
Reported-by: Matt Whitlock <ker...@mattwhitlock.name>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
From: Liping Zhang <liping.zh...@spreadtrum.com>
We should check "i" is used as a dictionary or not, "binding" is already
checked before.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
n
ng.
Reported-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Tested-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
include/net/netfilter/nf_tables.h | 1 +
net/netfilter/nf_tables_api.c | 15 +--
net/net
):
netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set
netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails
netfilter: nf_tables: fix a wrong check to skip the inactive rules
Pablo Neira Ayuso (3):
netfilter: nf_tables: reject loops from set
From: Florian Westphal <f...@strlen.de>
I forgot to move the kmem_cache_destroy into the exit path.
Fixes: 0c5366b3a8c7 ("netfilter: conntrack: use single slab cache)
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org
./usr/include/linux/netfilter/xt_SYNPROXY.h:11: found __[us]{8,16,32,64} type
without #include
Reported-by: kbuild test robot <l...@intel.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/xt_SYNPROXY.h | 2 ++
1 file changed, 2 inserti
On Thu, Jun 16, 2016 at 11:20:59AM -0700, Joe Perches wrote:
> There are several FWINV #defines with identical form
> that hide a specific structure variable and dereference
> it with a invflags member.
Right, this macro is obscure indeed.
> $ git grep "define FWINV"
>
On Wed, Jun 15, 2016 at 03:13:15PM +, Lubashev, Igor wrote:
> Vish, Pablo,
>
> I wonder about the value of sending more data than a client is
> willing to consume (setting aside the important fact that the client
> code crashes due to the extra data).
>
> It seems that we should either drop
On Sun, Jun 12, 2016 at 11:40:57PM -0400, Vishwanath Pai wrote:
> On 06/09/2016 01:57 PM, Vishwanath Pai wrote:
> > On 06/08/2016 08:16 AM, Pablo Neira Ayuso wrote:
> >> Looking again at your code:
> >>
> >> case NFULNL_COPY_PACKET:
> >> -
On Tue, Jun 14, 2016 at 09:52:49PM +0530, Kishan Sandeep wrote:
> Hi Pablo,
>
> On Tue, Jun 14, 2016 at 8:38 PM, Pablo Neira Ayuso <pa...@netfilter.org>
> wrote:
> > Cc'ing netfilter-devel.
> >
> > On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep w
Cc'ing netfilter-devel.
On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep wrote:
> + netdev
>
> On Sat, Jun 11, 2016 at 10:18 AM, Kishan Sandeep
> wrote:
> > strncpy generally perferable fo non-terminated
> > fixed-width strings. For NULL termination strlcpy
>
On Wed, Jun 08, 2016 at 07:31:21PM +0200, Pablo Neira Ayuso wrote:
> Then you can follow up with a patch to add this function.
>
> Just a suggestion, let me know if this is fine with you.
Forget this idea.
Actually your patch from: Date: Tue, 07 Jun 2016 11:02:30 -0700
looks easier to
On Wed, Jun 08, 2016 at 09:52:30AM -0700, Joe Perches wrote:
> On Wed, 2016-06-08 at 13:52 +0200, Pablo Neira Ayuso wrote:
> > On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote:
> > > On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote:
> > > > On T
On Tue, Jun 07, 2016 at 07:06:15PM -0400, Vishwanath Pai wrote:
> On 06/06/2016 06:31 PM, Pablo Neira Ayuso wrote:
> > On Wed, Jun 01, 2016 at 08:23:54PM -0400, Vishwanath Pai wrote:
> >> netfilter/nflog: nflog-range does not truncate packets
> >>
> >> The --
On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote:
> On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote:
> > On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote:
> > > One more question, is this chunk below correct from
> > >
On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote:
> On Tue, 2016-06-07 at 17:14 +0200, Pablo Neira Ayuso wrote:
> > On Tue, May 10, 2016 at 11:26:56AM +1000, tcharding wrote:
> > > From: Tobin C Harding <m...@tobin.cc>
> > > This is my second linux ke
On Tue, May 10, 2016 at 11:26:58AM +1000, tcharding wrote:
> From: Tobin C Harding
>
> checkpatch produces comparison to null 'checks'.
>
> This patch amends them.
We have quite a lot of these in the netfilter tree, so I'd rather
start using prefered coding style from now on
On Tue, May 10, 2016 at 11:26:57AM +1000, tcharding wrote:
> From: Tobin C Harding
>
> checkpatch produces data type 'checks'.
>
> This patch amends them by changing, for example:
> uint8_t -> u8
This looks good. Applied, thanks.
Hi,
On Tue, May 10, 2016 at 11:26:56AM +1000, tcharding wrote:
> From: Tobin C Harding
>
> checkpatch produces various white space 'checks'.
>
> This patch amends them.
>
> Signed-off-by: Tobin C Harding
> ---
> This is my second linux kernel patch. Unsure if I
ferent
> macro [-Wheader-guard]
>
> fix by defining _UAPI_LINUX_GTP_H_ and not _UAPI_LINUX_GTP_H__
>
> Signed-off-by: Colin Ian King <colin.k...@canonical.com>
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
From: Marco Angaroni
Previous patch that introduced handling of outgoing packets in SIP
persistent-engine did not call ip_vs_check_template() in case packet was
matching a connection template. Assumption was that real-server was
healthy, since it was sending a packet
org>
Tested-by: John Stultz <john.stu...@linaro.org>
Fixes: 7ed2abddd20cf ("netfilter: x_tables: check standard target size too")
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/x_tables.c | 4
Hi David,
The following patchset contains two Netfilter/IPVS fixes for your net
tree, they are:
1) Fix missing alignment in next offset calculation for standard
targets, introduced in the previous merge window, patch from
Florian Westphal.
2) Fix to correct the handling of outgoing
On Wed, Jun 01, 2016 at 08:23:54PM -0400, Vishwanath Pai wrote:
> netfilter/nflog: nflog-range does not truncate packets
>
> The --nflog-range parameter from userspace is ignored in the kernel and
> the entire packet is sent to the userspace. The per-instance parameter
> copy_range still works,
ferent
> macro [-Wheader-guard]
>
> fix by defining _UAPI_LINUX_GTP_H_ and not _UAPI_LINUX_GTP_H__
>
> Signed-off-by: Colin Ian King <colin.k...@canonical.com>
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
I don't see this in netdev's patchwork:
http://p
On Mon, Jun 06, 2016 at 04:35:55PM +0200, Florian Westphal wrote:
> Toby DiPasquale wrote:
> > Is this latest patch OK?
>
> Yes, I don't know why it wasn't applied yet.
>
> Pablo?
This doesn't apply.
$ git am /tmp/off-by-one-in-DecodeQ931.patch -s
Applying: off-by-one in
On Mon, Jun 06, 2016 at 12:02:10AM +0200, Florian Westphal wrote:
> Andreas Schwab wrote:
> > > From: Florian Westphal
> > >
> > > We have targets and standard targets -- the latter carries a verdict.
> > >
> > > The ip/ip6tables validation functions will
On Mon, Jun 06, 2016 at 06:24:36PM +0900, Simon Horman wrote:
> Hi Pablo,
>
> please consider this IPVS fix for v4.7.
>
> The fix from Marco corrects the handling of outgoing connections
> which use the SIP-pe such that the binding of a real-server
> is updated when needed. This was an omission
ts
tests/py: modify supported test file syntax
tests/py: update test files syntax
rule: add 'list flow tables' support
rule: add support for display flow tables content
src: add 'list maps' support
src: add support for display maps content
evaluate: fix &q
pernet exit path is not experienced in batch
mode.
Reported-by: Florian Westphal <f...@strlen.de>
Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfil
From: Taehee Yoo <ap420...@gmail.com>
helpers should unregister the only registered ports.
but, helper cannot have correct registered ports value when
failed to register.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
1601 - 1700 of 2305 matches
Mail list logo