From: Ken-ichirou MATSUZAWA <chama...@gmail.com>
Should be - 1 as in other _MAX definitions.
Signed-off-by: Ken-ichirou MATSUZAWA <cha...@h4.dion.ne.jp>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
incl
rowa...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_hashlimit.c | 25 +
1 file changed, 9 insertions(+), 16 deletions(-)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 10063408141d..84ad5a
e current conntrack helper name, ignore it instead of generating
an error.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 17 +
1 file changed, 13 insertions(+), 4 del
From: Jozsef Kadlecsik
Wrong index was used and therefore when shrinking a hash bucket at
deleting an entry, valid entries could be evicted as well.
Thanks to Eric Ewanco for the thorough bugreport.
Fixes netfilter bugzilla #1119
Signed-off-by: Jozsef Kadlecsik
On Tue, Feb 21, 2017 at 03:25:22PM -0800, Jarno Rajahalme wrote:
> Commit 4dee62b1 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
> returns void") inadvertently changed the successful return value of
> nf_ct_expect_related_report() from 0 to 1 due to
> __nf_ct_expect_check() returning 1 on
On Tue, Feb 21, 2017 at 03:25:21PM -0800, Jarno Rajahalme wrote:
> Commit 4dee62b1 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
> returns void") inadvertently changed the successful return value of
> nf_ct_expect_related_report() from 0 to 1, which caused openvswitch
> conntrack integration
On Mon, Feb 06, 2017 at 11:50:33PM +0100, Alban Browaeys wrote:
> Diving the divider by the multiplier before applying to the input.
> When this would "divide by zero", divide the multiplier by the divider
> first then multiply the input by this value.
>
> Currently user2creds outputs zero when
On Mon, Feb 13, 2017 at 03:13:37PM +0100, Andreas Schultz wrote:
>
>
> - On Feb 6, 2017, at 2:55 PM, Harald Welte lafo...@netfilter.org wrote:
>
> > Hi Andreas,
> >
> > On Mon, Jan 30, 2017 at 05:37:09PM +0100, Andreas Schultz wrote:
> >> Both function are always used together with the
On Mon, Feb 13, 2017 at 10:25:19AM +0100, Andreas Schultz wrote:
> Hi,
>
> I'm a bit late to comment, but maybe you can consider an additional
> change for v2...
>
> - On Feb 3, 2017, at 10:12 AM, Jonas Bonn jo...@southpole.se wrote:
>
> > The GTP-tunnel driver is explicitly GGSN-side as it
.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 1 +
net/netfilter/nf_tables_api.c | 4
2 files changed, 5 insertions(+)
diff --git a/include/net/netfilter/nf_tables.h
b/include/net/netfilter/nf_tables.h
index ab155644d489..5830f5
From: Phil Sutter <p...@nwl.cc>
If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field
data into *dest, but instead set it to 1 if the header is found and 0
otherwise.
Signed-off-by: Phil Sutter <p...@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Although semantics are similar to deactivate() with no implicit element
lookup, this is only called from the set flush path, so better rename
this to flush().
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 8
net/netfilter/nf_tables
of elements, so we cannot calculate the real memory that this set
needs. This also helps us break ties in the set backend selection
routine, eg. two backend implementations provide the same performance.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 2 +
From: Gao Feng <f...@ikuai8.com>
timer_del() followed by timer_add() can be replaced by
mod_timer_pending().
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_sip.c | 12 +---
1 file cha
This new parameter is required by the new bitmap set type that comes in a
follow up patch.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 3 ++-
net/netfilter/nf_tables_api.c | 6 +++---
net/netfilter/nft_set_hash.c | 3 ++-
net/net
Use uX types instead.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink.c | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index a09fa9fd8f3d..586212ebba9e 100644
---
Instead of struct nft_set_dump_args, remove unnecessary wrapper
structure.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/net
an error.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_ct.c | 22 +++---
2 files changed, 21 insertions(+), 3 deletions(-)
Use lookup as field name instead, to prepare the introduction of the
memory class in a follow up patch.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4 ++--
net/netfilter/nf_tables_api.c | 12 ++--
net/netfilter/nft_set_
ise the
hash table set implementation is used.
For 8 bit keys, the bitmap consumes 66 bytes. For 16 bit keys, the
bitmap takes 16388 bytes.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/Kconfig | 6 +
net/netfilter/Makefile | 1 +
net/
y have that in the set_destroy function place that in
a separate function and call it from the set init function.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_ct.c | 29 +++--
1 file chan
From: Gao Feng <f...@ikuai8.com>
Because nf_ct_expect_insert() always succeeds now, its return value can
be just void instead of int. And remove code that checks for its return
value.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilte
zone id set support
Gao Feng (2):
netfilter: nf_ct_sip: Use mod_timer_pending()
netfilter: nf_ct_expect: nf_ct_expect_insert() returns void
Manuel Messner (1):
netfilter: nft_exthdr: add TCP option matching
Pablo Neira Ayuso (14):
netfilter: nf_tables: pass netns to set->
From: Manuel Messner <m...@skelett.io>
This patch implements the kernel side of the TCP option patch.
Signed-off-by: Manuel Messner <m...@skelett.io>
Reviewed-by: Florian Westphal <f...@strlen.de>
Acked-by: Phil Sutter <p...@nwl.cc>
Signed-off-by: Pablo Neira Ay
to refer to an anonymous set from a batch.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h| 3 +++
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c| 26 ++
3 files chang
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
MAINTAINERS | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index a9368bba9b37..5864bbd99f8f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8579,9 +8579,8 @@ F:Documen
Add new nfnetlink_rcv_skb_batch() to wrap initial nfnetlink batch
handling.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink.c | 51 ++-
1 file changed, 28 insertions(+), 23 deletions(-)
diff --git a/net/net
packet alloc/free of the template, use a percpu
template 'scratch' object and use the refcount to detect the (unlikely)
case where the template is still attached to another skb (i.e., previous
skb was nfqueued ...).
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Nei
This patch implements the check generation id as provided by nfnetlink.
This allows us to reject ruleset updates against stale baseline, so
userspace can retry update with a fresh ruleset cache.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api
Check for NFT_SET_OBJECT feature flag, otherwise we may end up selecting
the wrong set backend.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 3 ++-
net/netfilter/nft_set_hash.c | 2 +-
net/netfilter/nft_set_rbtree.c | 2 +-
3 files chan
in the
batch begin message, then no check is performed.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/nfnetlink.h | 1 +
include/uapi/linux/netfilter/nfnetlink.h | 12
net/netfilter/nfnetlink.c
From: Pablo Neira <pa...@netfilter.org>
Add maintainers for this tunnel driver. Include main osmocom.org mailist
list too.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
v2: Harald suggests osmocom-net-g...@lists.osmocom.org is better ML for this.
MAINTAINERS | 8
Add maintainers for this tunnel driver. Include main osmocom.org mailist
list too.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
MAINTAINERS | 8
1 file changed, 8 insertions(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 5864bbd99f8f..ce5dde23bd00
text()")
> Signed-off-by: Igor Pylypiv <igor.pyly...@gmail.com>
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
On Tue, Feb 07, 2017 at 11:13:12PM -0800, Igor Pylypiv wrote:
> I am not planning to to add a new user of this functions.
> Use of skb_find_text() was a part of my Linux study and its
> description informed me that I can use textsearch_next()
> which I cannot. Just want to fix this.
Send us a
On Sat, Feb 04, 2017 at 09:48:30PM -0800, Igor Pylypiv wrote:
> This reverts commit 059a2440fd3cf4ec57735db2c0a90401cde84fca.
>
> Textsearch state parameter should be passed by pointer because
> its resulting value is needed for call to textsearch_next().
You're right this renders
On Mon, Feb 06, 2017 at 03:16:22PM +0100, Harald Welte wrote:
> Hi Jonas,
>
> On Mon, Feb 06, 2017 at 02:33:07PM +0100, Jonas Bonn wrote:
> > Fair enough. The use-case I am looking at involves PGW load-testing where
> > the simulated load is generated locally on the SGSN so it _is_ seeing IP
> >
Hi Jonas,
On Mon, Feb 06, 2017 at 02:33:07PM +0100, Jonas Bonn wrote:
> Hi Pablo,
>
> On 02/06/2017 12:08 PM, Pablo Neira Ayuso wrote:
> >Hi Jonas,
> >
> >On Fri, Feb 03, 2017 at 10:12:31AM +0100, Jonas Bonn wrote:
> >>The GTP-tunnel driver is explici
On Sat, Feb 04, 2017 at 11:47:31PM +0100, Alban Browaeys wrote:
> Diving the divider by the multiplier before applying to the input.
> When this would "divide by zero", divide the multiplier by the divider
> first then multiply the input by this value.
>
> Currently user2creds outputs zero when
Hi Jonas,
On Fri, Feb 03, 2017 at 10:12:31AM +0100, Jonas Bonn wrote:
> The GTP-tunnel driver is explicitly GGSN-side as it searches for PDP
> contexts based on the incoming packets _destination_ address. If we
> want to write an SGSN, then we want to be idenityfing PDP contexts
> based on
268 87731 156b3 nf_conntrack.ko
new:
textdata bss dec hex filename
24421184 03626 e2a nf_conntrack_proto_udp.o
68565 17721 268 86554 1521a nf_conntrack.ko
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Nei
From: Willem de Bruijn <will...@google.com>
Convert arptables to copying entries, matches and targets one by one,
using the xt_match_to_user and xt_target_to_user helper functions.
Signed-off-by: Willem de Bruijn <will...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa..
oogle.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/x_tables.h | 9 +++
net/netfilter/x_tables.c | 54 ++
2 files changed, 63 insertions(+)
diff --git a/include/linux/netfilter/x_tables.h
b/inclu
smatching crc32c in the SCTP header.
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_proto_sctp.c | 32
1 file changed, 32 insertions(+)
diff
From: Liping Zhang <zlpnob...@gmail.com>
Similar to xt_connbytes, user can match how many average bytes per packet
a connection has transferred so far.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/ua
32c so that it is selected when NF_CT_PROTO_SCTP=y.
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/Kconfig | 2 +-
1 file changed, 1 insertion
From: Willem de Bruijn <will...@google.com>
Convert iptables to copying entries, matches and targets one by one,
using the xt_match_to_user and xt_target_to_user helper functions.
Signed-off-by: Willem de Bruijn <will...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilte
From: Willem de Bruijn <will...@google.com>
Convert ip6tables to copying entries, matches and targets one by one,
using the xt_match_to_user and xt_target_to_user helper functions.
Signed-off-by: Willem de Bruijn <will...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa..
onvert it to PACKET_BROADCAST/MULTICAST according to the destination
address's type; For ipv6, convert it to PACKET_MULTICAST directly.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_meta.c | 28 ++
rwrite
fields of an already copy_to_user'd struct with ebt_XXX_to_user
helpers that copy all relevant fields of the struct from scratch.
Signed-off-by: Willem de Bruijn <will...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/netfilt
From: Willem de Bruijn <will...@google.com>
Convert compat to copying entries, matches and targets one by one,
using the xt_match_to_user and xt_target_to_user helper functions.
Signed-off-by: Willem de Bruijn <will...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilte
From: Geliang Tang <geliangt...@gmail.com>
To make the code clearer, use rb_entry() instead of container_of() to
deal with rbtree.
Signed-off-by: Geliang Tang <geliangt...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_connlimit.c | 4 ++
From: Florian Westphal <f...@strlen.de>
Followup patch renames skb->nfct and changes its type so add a helper to
avoid intrusive rename change later.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
i
the kernel" to find
relevant matches and targets. Manually inspected the structs to derive
a valid offsetof.
Signed-off-by: Willem de Bruijn <will...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/netfilter/ebt_limit.c | 1 +
net/ipv4/netfilter/ipt
From: Liping Zhang <zlpnob...@gmail.com>
Since there's no broadcast address in IPV6, so in ipv6 family, the
PACKET_LOOPBACK must be multicast packets, there's no need to check
it again.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa..
ed-off-by: Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 48 ++-
1 file changed, 25 insertions(+), 23 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_
/proc/sys/net/netfilter/nf_log_all_netns
to a nonzero value. This sysctl is only accessible from init_net so that
one cannot switch the behaviour from inside a container.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
Docume
the
nf_conn entry protocol area. This works because templates are not
handed off to L4 protocol trackers.
Reported-by: kbuild test robot <fengguang...@intel.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/n
) helpers,
this is to avoid undoing the skb_nfct() use when we remove untracked
conntrack object in the future.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/skbuff.h | 21 +
From: Florian Westphal <f...@strlen.de>
Next patch makes direct skb->nfct access illegal, reduce noise
in next patch by using accessors we already have.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
original condition checks.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 15 +++
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfil
ong _nfct' in followup patch.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_dup_ipv4.c | 2 +-
net/ipv6/netfilter/nf_dup_ipv6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netf
From: Florian Westphal <f...@strlen.de>
Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff.
This avoids changing code in followup patch that merges skb->nfct and
skb->nfctinfo into skb->_nfct.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-
and returns early in this case.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 12 ++--
net/ipv6/netfilter/nf
Signed-off-by: Simon Horman <ho...@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/ip_vs.h| 2 +-
net/netfilter/ipvs/ip_vs_ctl.c | 8 +++-
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/include/net/ip_vs.h b/include/net/ip_v
ed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/Makefile | 1 -
net/netfilter/nf_nat_proto_udp.c | 78 ++--
net/netfilter/nf_nat_proto_udplite.c | 73
From: Liping Zhang <zlpnob...@gmail.com>
We missed to add descriptions about NFT_CT_LABELS, NFT_CT_PKTS and
NFT_CT_BYTES, now add it.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_t
Hi David,
The following patchset contains Netfilter updates for your net-next
tree, they are:
1) Stash ctinfo 3-bit field into pointer to nf_conntrack object from
sk_buff so we only access one single cacheline in the conntrack
hotpath. Patchset from Florian Westphal.
2) Don't leak pointer
On Thu, Feb 02, 2017 at 03:38:07PM +0100, Andreas Schultz wrote:
>
>
> - On Feb 2, 2017, at 3:28 PM, pablo pa...@netfilter.org wrote:
>
> > On Thu, Feb 02, 2017 at 03:12:55PM +0100, Andreas Schultz wrote:
> >> Hi,
> >>
> >> - On Feb 2, 2017, at 2:56 PM, pablo pa...@netfilter.org wrote:
On Thu, Feb 02, 2017 at 03:30:51PM +0100, Andreas Schultz wrote:
>
>
> - On Feb 2, 2017, at 3:10 PM, pablo pa...@netfilter.org wrote:
>
> > On Mon, Jan 30, 2017 at 05:37:08PM +0100, Andreas Schultz wrote:
> >> Having both GTPv0-U and GTPv1-U is not always desirable.
> >> Fallback from
On Thu, Feb 02, 2017 at 03:27:17PM +0100, Andreas Schultz wrote:
>
>
> - On Feb 2, 2017, at 3:19 PM, pablo pa...@netfilter.org wrote:
>
> > On Mon, Jan 30, 2017 at 05:37:10PM +0100, Andreas Schultz wrote:
> >> This unifies duplicate code into a helper. It also prepares the
> >> groundwork
On Thu, Feb 02, 2017 at 03:12:55PM +0100, Andreas Schultz wrote:
> Hi,
>
> - On Feb 2, 2017, at 2:56 PM, pablo pa...@netfilter.org wrote:
>
> > On Mon, Jan 30, 2017 at 05:37:12PM +0100, Andreas Schultz wrote:
> >> Having the socket present in context simplifies the sending logic.
> >> It
On Mon, Jan 30, 2017 at 05:37:10PM +0100, Andreas Schultz wrote:
> This unifies duplicate code into a helper. It also prepares the
> groundwork to add a lookup version that uses the socket to find
> attache pdp contexts.
>
> Signed-off-by: Andreas Schultz
> ---
>
On Mon, Jan 30, 2017 at 05:37:08PM +0100, Andreas Schultz wrote:
> Having both GTPv0-U and GTPv1-U is not always desirable.
> Fallback from GTPv1-U to GTPv0-U was depreciated from 3GPP
> Rel-8 onwards. Post Rel-8 implementation are discuraged
> from listening on the v0 port (see 3GPP TS 29.281,
On Mon, Jan 30, 2017 at 05:37:12PM +0100, Andreas Schultz wrote:
> Having the socket present in context simplifies the sending logic.
> It also fixes the invalid assumption that we have to use the same
> sending socket for all client IP's on a specific gtp interface.
>
> Signed-off-by: Andreas
ove useless functions
xtables-translate: add escape_quotes option to comment_xlate
xtables-compat: check if nft ruleset is compatible
xtables-compat: add rule cache
xtables-translate-restore: do not escape quotes
Pablo Neira Ayuso (13):
nft: xtables: add generic pars
On Fri, Jan 27, 2017 at 09:07:38AM +0100, Simon Horman wrote:
> On Thu, Jan 26, 2017 at 10:49:10PM +0200, Julian Anastasov wrote:
> >
> > Hello,
> >
> > On Mon, 23 Jan 2017, David Windsor wrote:
> >
> > > Currently, the ip_vs_dest cache frees ip_vs_dest objects when their
> > > reference
use to carry the mark unless we later on reset it back, which
I discarded since it looks ugly to me.
Fixes: bf99b4ded5f8 ("tcp: fix mark propagation with fwmark_reflect enabled")
Suggested-by: Eric Dumazet <eric.duma...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfil
On Thu, Jan 26, 2017 at 10:02:40AM -0800, Eric Dumazet wrote:
> On Thu, 2017-01-26 at 17:37 +0100, Pablo Neira Ayuso wrote:
> > From: Pau Espin Pedrol <pespin.s...@gmail.com>
> >
> > Otherwise, RST packets generated by the TCP stack for non-existing
> > sockets
@google.com>
Signed-off-by: Pau Espin Pedrol <pau.es...@tessares.net>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/net/ipv4/netf
igned-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 21 ++---
net/netfilter/nft_dynset.c| 3 ++-
net/netfilter/nft_lookup.c| 3 ++-
net/netfilter/nft_objref.c| 6 --
/0x2a0
__netlink_dump_start+0x161/0x190
nf_tables_getobj+0xe8/0x280 [nf_tables]
Fixes: a9fea2a3c3cf ("netfilter: nf_tables: allow to filter stateful object
dumps by type")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/n
possible
netfilter: nft_log: restrict the log prefix length to 127
Pablo Neira Ayuso (3):
netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL
netfilter: nf_tables: deconstify walk callback function
netfilter: nf_tables: bump set->ndeact on set flush
Pau
From: Alexander Alemayhu <alexan...@alemayhu.com>
o s/numerice/numeric
o s/opertaor/operator
Signed-off-by: Alexander Alemayhu <alexan...@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 4 ++--
1 file cha
b when the socket sends it.
Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
Cc: Lorenzo Colitti <lore...@google.com>
Signed-off-by: Pau Espin Pedrol <pau.es...@tessares.net>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/ip_o
The flush operation needs to modify set and element objects, so let's
deconstify this.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 6 +++---
net/netfilter/nf_tables_api.c | 24
net/netfilter/nft_set_hash.c
ed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b84c7b25219b..831a9a16f563 100644
--- a/net/netfilter
t x y
# nft add element x y { 1.1.1.1 }
:1:1-28: Error: Could not process rule: Too many open files in system
Fixes: 8411b6442e59 ("netfilter: nf_tables: support for set flushing")
Reported-by: Elise Lennion <elise.lenn...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@n
2736 ("netfilter: add help information to new nf_tables Kconfig
options")
Signed-off-by: William Breathitt Gray <vilhelm.g...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
in output {
type filter hook output priority 0; policy accept;
}
}
So now, restrict the log prefix length to NF_LOG_PREFIXLEN-1.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <
trlen.de>
Acked-by: Nicolas Dichtel <nicolas.dich...@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfi
ted
broadcast/multicast, too")
Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nft_fib.h| 6 ++
net/ipv4/netfilte
htel <nicolas.dich...@6wind.com>
Acked-by: Nicolas Dichtel <nicolas.dich...@6wind.com>
Tested-by: Denys Fedoryshchenko <nuclear...@nuclearcat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 39 --
the check inside of another #ifdef.
Fixes: 6c5d5cfbe3c5 ("netfilter: ipt_CLUSTERIP: check duplicate config when
initializing")
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 ++
ink creation).
>
> Remove the now obsolete net field from gtp_dev.
>
> Signed-off-by: Andreas Schultz <aschu...@tpip.net>
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
On Thu, Jan 26, 2017 at 04:11:32PM +0100, Andreas Schultz wrote:
> Auto-load the module when userspace asks for the gtp netlink
> family.
>
> Acked-by: Harald Welte <lafo...@netfilter.org>
> Signed-off-by: Andreas Schultz <aschu...@tpip.net>
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
y fragment the GTP
> > packet if needed, according to IPv4.
>
> Acked-by: Harald Welte <lafo...@netfilter.org>
> Signed-off-by: Andreas Schultz <aschu...@tpip.net>
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
On Tue, Jan 24, 2017 at 09:02:31PM +0100, Andreas Schultz wrote:
> Hi Pablo,
>
> - On Jan 24, 2017, at 8:03 PM, pablo pa...@netfilter.org wrote:
>
> > Hi Andreas,
> >
> > On Tue, Jan 24, 2017 at 06:24:02PM +0100, Andreas Schultz wrote:
> >> enable userspace to send error replies for invalid
On Tue, Jan 24, 2017 at 06:24:01PM +0100, Andreas Schultz wrote:
> The rcu read lock is hold by default in the ip input path. There
> is no need to hold it twice in the socket recv decapsulate code path.
I think this is net-next material since it is not essencial.
On Tue, Jan 24, 2017 at 06:23:59PM +0100, Andreas Schultz wrote:
> 3GPP TS 29.281 and 3GPP TS 29.060 imply that GTP-U packets should be
> sent with the DF bit cleared. For example 3GPP TS 29.060, Release 8,
> Section 13.2.2:
>
> > Backbone router: Any router in the backbone may fragment the GTP
>
1101 - 1200 of 2305 matches
Mail list logo