From: Andrew Lunn
nft_request_module calls vsnprintf() using parameters passed to it.
Make the function with __printf() attribute so the compiler can check
the format and arguments.
Signed-off-by: Andrew Lunn
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 3 ++-
1 file
t.
Signed-off-by: Jose M. Guisado Gomez
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/ipv4/nf_reject.h | 10 ++
include/net/netfilter/ipv6/nf_reject.h | 9 ++
net/bridge/netfilter/Kconfig | 2 +-
net/bridge/netfilter/nft_reject_bridge.c | 195 +-
Neira Ayuso
---
net/ipv4/netfilter/nf_reject_ipv4.c | 6 --
net/ipv6/netfilter/nf_reject_ipv6.c | 5 +++--
net/netfilter/nft_reject_inet.c | 14 +-
3 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c
b/net/ipv4/netfilter
From: Jozsef Kadlecsik
It makes possible to reproduce exactly the same set after a save/restore.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/ipset/ip_set.h | 2 +-
net/netfilter/ipset/ip_set_hash_gen.h| 13 +
net
: ipset: Expose the initval hash parameter to userspace
Pablo Neira Ayuso (1):
netfilter: nft_reject_inet: allow to use reject from inet ingress
include/linux/netfilter/ipset/ip_set.h | 5 +
include/net/netfilter/ipv4/nf_reject.h | 10 ++
include/net/netfilter/ipv6/nf_reject.h
sado Gomez
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/nft_reject_bridge.c | 60 +---
net/netfilter/nft_reject.c | 12 -
net/netfilter/nft_reject_inet.c | 60 +---
3 files changed, 15 insertions(+), 117 deletions(-)
gress hook.
Joint work with Laura Garcia.
Signed-off-by: Jose M. Guisado Gomez
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/Kconfig | 10 ++
net/netfilter/Makefile| 1 +
net/netfilter/nft_reject_netdev.c | 189 ++
3 files changed, 200
Hi,
On Wed, Nov 04, 2020 at 02:01:28PM +0100, Georg Kohmann wrote:
> Packets are processed even though the first fragment don't include all
> headers through the upper layer header. This breaks TAHI IPv6 Core
> Conformance Test v6LC.1.3.6.
>
> Referring to RFC8200 SECTION 4.5: "If the first fragm
On Sat, Oct 31, 2020 at 07:21:44PM +0100, Andrew Lunn wrote:
> nft_request_module calls vsnprintf() using parameters passed to it.
> Make the function with __printf() attribute so the compiler can check
> the format and arguments.
Applied, thanks.
d, no
matter how many bytes we send, the rule will never match, because
counters themselves are not updated.
Reported-by: Mithil Mhatre
Fixes: 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when
counters used at the matching")
Signed-off-by: Stefano Brivio
ake correct use of it following the
example of __ip_queue_xmit().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jason A. Donenfeld
Reviewed-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter_ipv4.h | 2 +-
include/linux/netfilter
oif is not supported there.
This patch fixes the lack of rule validation from the abort/check path
to catch configuration errors such as the one above.
Fixes: a654de8fdc18 ("netfilter: nf_tables: fix chain dependency validation")
Signed-off-by: Pablo Neira Ayuso
---
include/linux
The netlink report should be sent regardless the available listeners.
Fixes: 84d7fce69388 ("netfilter: nf_tables: export rule-set generation ID")
Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter
in netfilter, test for
the relevant condition inside our test suite, since wireguard was where
the bug was discovered.
Reported-by: Chen Minqiang
Signed-off-by: Jason A. Donenfeld
Signed-off-by: Pablo Neira Ayuso
---
tools/testing/selftests/wireguard/netns.sh | 8
tools/test
1:11 +0100)
Jason A. Donenfeld (2):
wireguard: selftests: check that route_me_harder packets use the right sk
netfilter: use actual socket sk rather than skb sk when routing harder
Pablo Neira Ayuso (2):
netfilter: nftables: fix netlink report logic in flowtable
On Sat, Oct 31, 2020 at 02:00:03AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Oct 31, 2020 at 01:05:03AM +0100, Jason A. Donenfeld wrote:
> > On Fri, Oct 30, 2020 at 8:23 PM Pablo Neira Ayuso
> > wrote:
> > >
> > > On Thu, Oct 29, 2020 at 03:56:04AM +0100, Jas
On Sat, Oct 31, 2020 at 01:05:03AM +0100, Jason A. Donenfeld wrote:
> On Fri, Oct 30, 2020 at 8:23 PM Pablo Neira Ayuso wrote:
> >
> > On Thu, Oct 29, 2020 at 03:56:04AM +0100, Jason A. Donenfeld wrote:
> > > Hi Pablo,
> > >
> > > This series fixes a bug
On Thu, Oct 29, 2020 at 03:56:04AM +0100, Jason A. Donenfeld wrote:
> Hi Pablo,
>
> This series fixes a bug in the route_me_harder family of functions with
> regards to tunnel interfaces. The first patch contains an addition to
> the wireguard test suite; I normally send my wireguard patches throu
On Thu, Oct 29, 2020 at 12:02:41PM +0100, Greg KH wrote:
> On Tue, Oct 27, 2020 at 09:19:22AM +0100, Pablo Neira Ayuso wrote:
> > Hi Greg,
> >
> > On Tue, Oct 27, 2020 at 07:21:11AM +0100, Greg KH wrote:
> > > On Sun, Oct 25, 2020 at 04:31:57PM -0700, Saeed Mirzam
ment support for set declarations
src: add comment support when adding tables
src: add comment support for objects
parser_bison: fail when specifying multiple comments
src: add comment support for chains
Pablo Neira Ayuso (45):
src: Allow for empty set variable definit
Hi Greg,
On Tue, Oct 27, 2020 at 07:21:11AM +0100, Greg KH wrote:
> On Sun, Oct 25, 2020 at 04:31:57PM -0700, Saeed Mirzamohammadi wrote:
> > Adding stable.
>
> What did that do?
Saeed is requesting that stable maintainers cherry-picks this patch:
31cc578ae2de ("netfilter: nftables_offload: KAS
From: Jeremy Sowden
"mailined" should be "mainlined."
Signed-off-by: Jeremy Sowden
Signed-off-by: Pablo Neira Ayuso
---
Documentation/networking/nf_flowtable.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/networking/nf_flowtable.
ill get dropped.
Fixes: c1a831167901 ("netfilter: bridge: convert skb_make_writable to
skb_ensure_writable")
Signed-off-by: Timothée COCAULT
Reviewed-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_redirect.
From: "longguang.yue"
Outputting client,virtual,dst addresses info when tcp state changes,
which makes the connection debug more clear
Signed-off-by: longguang.yue
Acked-by: Julian Anastasov
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipvs/ip_vs_proto_tcp.c | 10 ++--
d when getting the reply rather than when sending out
the keepalive packet.
Fixes: f94e63801ab2 ("netfilter: conntrack: reset tcp maxwin on re-register")
Signed-off-by: Francesco Ruggeri
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_proto_tcp.c | 19 +++
b800c3b966bc ("ipv6: drop fragmented ndisc packets by
default (RFC 6980)")
Signed-off-by: Georg Kohmann
Signed-off-by: Pablo Neira Ayuso
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c
b/net/ipv6
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6 ++
net/netfilter/nf_tables_api.c | 6 +++---
net/netfilter/nf_tables_offload.c | 4 ++--
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h
b/include/net/net
Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_dup_netdev.c | 1 +
net/netfilter/nft_fwd_netdev.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf
)
Francesco Ruggeri (1):
netfilter: conntrack: connection timeout after re-register
Georg Kohmann (1):
netfilter: Drop fragmented ndisc packets assembled in netfilter
Jeremy Sowden (1):
docs: nf_flowtable: fix typo.
Pablo Neira Ayuso (1):
netfilter: nf_fwd_netdev
On Wed, Sep 30, 2020 at 08:08:02AM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Mon, 28 Sep 2020, longguang.yue wrote:
>
> > Outputting client,virtual,dst addresses info when tcp state changes,
> > which makes the connection debug more clear
> >
> > Signed-off-by: longguang.yue
>
>
On Wed, Oct 07, 2020 at 12:32:52PM -0700, Francesco Ruggeri wrote:
> If the first packet conntrack sees after a re-register is an outgoing
> keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to
> SND.NXT-1.
> When the peer correctly acknowledges SND.NXT, tcp_in_window fails
> check
On Tue, Oct 13, 2020 at 02:23:12PM +0200, Georg Kohmann wrote:
> Fragmented ndisc packets assembled in netfilter not dropped as specified
> in RFC 6980, section 5. This behaviour breaks TAHI IPv6 Core Conformance
> Tests v6LC.2.1.22/23, V6LC.2.2.26/27 and V6LC.2.3.18.
>
> Setting IP6SKB_FRAGMENTED
e expr->ops that fixes the slab-out-of-bounds Read issue.
Add nft_expr_more() and use it to fix this problem.
Signed-off-by: Saeed Mirzamohammadi
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6 ++
net/netfilter/nf_tables_api.c | 6 +++---
net/netfilter/n
On Thu, Oct 15, 2020 at 12:47:48PM -0700, Jakub Kicinski wrote:
> On Thu, 15 Oct 2020 18:30:29 +0200 Pablo Neira Ayuso wrote:
> > The following patchset adds infrastructure to augment the Netfilter
> > flowtable fastpath [1] to support for local network topologies that
> >
ure that LIBCRC32C is built if NF_TABLES
is 'y' or 'm' in the kernel build configuration.
Signed-off-by: Davide Caratti
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
@Jakub: This is my last pending item in nf-next I think, I'm not planning to
Add the vlan id and proto to the flow tuple to uniquely identify flows
from the receive path. Store the vlan id and proto to set it accordingly
from the transmit path. This patch includes support for two VLAN headers
(Q-in-Q).
Signed-off-by: Pablo Neira Ayuso
---
v2: fix sparse warnings
ab:cd:ef:ab:cd:ef
For packets in the IP forwarding going to eth0.100 whose destination MAC
address is ab:cd:ef:ab:cd:ef, dev_fill_forward_path() provides the
following path:
eth0.100 -> eth0
Signed-off-by: Pablo Neira Ayuso
---
v2: fix sparse warning.
include/linux/netdevice.h |
The ingress device in the tuple is obtained from route in the reply
direction. Use dev_fill_forward_path() instead to provide the real
ingress device for this flow.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes
include/net/netfilter/nf_flow_table.h | 6 ++-
net/netfilter
[1] https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html
Pablo Neira Ayuso (9):
netfilter: flowtable: add xmit path types
net: resolve forwarding path from virtual netdevice and HW destination address
net: 8021q: resolve forwarding path for vlan devices
bridge: resolve
Update hardware destination address to the master bridge device to
emulate the forwarding behaviour.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
include/net/netfilter/nf_flow_table.h | 1 +
net/netfilter/nf_flow_table_core.c| 4
net/netfilter/nft_flow_offload.c | 6
The egress device in the tuple is obtained from route. Use
dev_fill_forward_path() instead to provide the real ingress device for
this flow whenever this is available.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
include/net/netfilter/nf_flow_table.h | 4
net/netfilter
Add FLOW_OFFLOAD_XMIT_DIRECT to turn on the direct dev_queue_xmit() path
to transmit ethernet frames. Cache the source and destination hardware
address for flow to use dev_queue_xmit() to transfer packets.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
include/net/netfilter
Add the xmit_type field that defines the two supported xmit paths in the
flowtable data plane, which are the neighbour and the xfrm xmit paths.
This patch prepares for new flowtable xmit path types to come.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
include/net/netfilter
ethX
ab:cd:ef:ab:cd:ef
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes
include/linux/netdevice.h | 27 +++
net/core/dev.c| 31 +++
2 files changed, 58 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
Add .ndo_fill_forward_path for bridge devices.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes
include/linux/netdevice.h | 1 +
net/bridge/br_device.c| 22 ++
2 files changed, 23 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
On Thu, Oct 15, 2020 at 08:10:13AM -0700, Jakub Kicinski wrote:
> On Thu, 15 Oct 2020 03:16:30 +0200 Pablo Neira Ayuso wrote:
> > Add the vlan id and proto to the flow tuple to uniquely identify flows
> > from the receive path. Store the vlan id and proto to set it according
On Thu, Oct 15, 2020 at 08:31:52AM +0530, Naresh Kamboju wrote:
> On Thu, 15 Oct 2020 at 01:00, Pablo Neira Ayuso wrote:
> >
> > On Wed, Oct 14, 2020 at 05:19:33PM +0530, Naresh Kamboju wrote:
> > > While running kselftest netfilter test on x86_64 devices linux next
&
Add the vlan id and proto to the flow tuple to uniquely identify flows
from the receive path. Store the vlan id and proto to set it accordingly
from the transmit path. This patch includes support for two VLAN headers
(Q-in-Q).
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter
Add .ndo_fill_forward_path for bridge devices.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netdevice.h | 1 +
net/bridge/br_device.c| 22 ++
2 files changed, 23 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 6a3370fafe4b
The ingress device in the tuple is obtained from route in the reply
direction. Use dev_fill_forward_path() instead to provide the real
ingress device for this flow.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 6 ++-
net/netfilter/nf_flow_table_core.c| 3
Add FLOW_OFFLOAD_XMIT_DIRECT to turn on the direct dev_queue_xmit() path
to transmit ethernet frames. Cache the source and destination hardware
address for flow to use dev_queue_xmit() to transfer packets.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 5
ab:cd:ef:ab:cd:ef
For packets in the IP forwarding going to eth0.100 whose destination MAC
address is ab:cd:ef:ab:cd:ef, dev_fill_forward_path() provides the
following path:
eth0.100 -> eth0
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netdevice.h | 7 +++
net/8021q/vlan_de
Update hardware destination address to the master bridge device to
emulate the forwarding behaviour.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 1 +
net/netfilter/nf_flow_table_core.c| 4
net/netfilter/nft_flow_offload.c | 6 +-
3 files
ethX
ab:cd:ef:ab:cd:ef
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netdevice.h | 27 +++
net/core/dev.c| 31 +++
2 files changed, 58 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 964b49
tworking/nf_flowtable.html
Pablo Neira Ayuso (9):
netfilter: flowtable: add xmit path types
net: resolve forwarding path from virtual netdevice and HW destination address
net: 8021q: resolve forwarding path for vlan devices
bridge: resolve forwarding path for bridge devices
The egress device in the tuple is obtained from route. Use
dev_fill_forward_path() instead to provide the real ingress device for
this flow whenever this is available.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 4
net/netfilter/nf_flow_table_core.c
Add the xmit_type field that defines the two supported xmit paths in the
flowtable data plane, which are the neighbour and the xfrm xmit paths.
This patch prepares for new flowtable xmit path types to come.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 6
This definition is used by the iptables legacy UAPI, restore it.
Fixes: d3519cb89f6d ("netfilter: nf_tables: add inet ingress support")
Reported-by: Jason A. Donenfeld
Tested-by: Jason A. Donenfeld
Signed-off-by: Pablo Neira Ayuso
---
@Jakub: if you please can take this into net-n
On Wed, Oct 14, 2020 at 05:19:33PM +0530, Naresh Kamboju wrote:
> While running kselftest netfilter test on x86_64 devices linux next
> tag 20201013 kernel
> these errors are noticed. This not specific to kernel version we have
> noticed these errors
> earlier also.
>
> Am I missing configs ?
Wha
On Wed, Oct 14, 2020 at 03:01:15PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Oct 14, 2020 at 02:59:47PM +0200, Jason A. Donenfeld wrote:
> > Hey Pablo,
> >
> > In 60a3815da702fd9e4759945f26cce5c47d3967ad, you added another enum
> > value to nf_inet_hooks:
> &
On Wed, Oct 14, 2020 at 02:59:47PM +0200, Jason A. Donenfeld wrote:
> Hey Pablo,
>
> In 60a3815da702fd9e4759945f26cce5c47d3967ad, you added another enum
> value to nf_inet_hooks:
>
> --- a/include/uapi/linux/netfilter.h
> +++ b/include/uapi/linux/netfilter.h
> @@ -45,6 +45,7 @@ enum nf_inet_hooks
On Wed, Oct 14, 2020 at 02:06:28AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 09, 2020 at 10:05:48PM +0200, Florian Westphal wrote:
> > Jozsef Kadlecsik wrote:
> > > > The "delay unregister" remark was wrt. the "all rules were deleted"
> > > &g
On Fri, Oct 09, 2020 at 10:05:48PM +0200, Florian Westphal wrote:
> Jozsef Kadlecsik wrote:
> > > The "delay unregister" remark was wrt. the "all rules were deleted"
> > > case, i.e. add a "grace period" rather than acting right away when
> > > conntrack use count did hit 0.
> >
> > Now I underst
t one per second, and add delay
when re-injecting the packet to the kernel.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
tools/testing/selftests/netfilter/nf-queue.c | 61 +---
.../testing/selftests/netfilter/nft_queue.sh | 70 +++
2 files ch
=0x0800 OPCODE=2 MACSRC=86:6c:92:ea:d6:73 IPSRC=192.168.10.2
MACDST=0e:3b:eb:86:73:76 IPDST=192.168.10.1
Fixes: 83e96d443b37 ("netfilter: log: split family specific code to
nf_log_{ip,ip6,common}.c files")
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_log.h | 1 +
The initial support for netlink extended ACK is missing the chain update
path, which results in misleading error reporting in case of EEXIST.
Fixes 36dd1bcc07e5 ("netfilter: nf_tables: initial support for extended ACK
reporting")
Signed-off-by: Pablo Neira Ayuso
---
net
;tcp/fq: move back to CLOCK_MONOTONIC")
Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.")
Signed-off-by: Julian Anastasov
Reviewed-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipvs/ip_vs_xmit.c | 6 ++
1 file changed,
ian Westphal (1):
selftests: netfilter: extend nfqueue test case
Julian Anastasov (1):
ipvs: clear skb->tstamp in forwarding path
Pablo Neira Ayuso (2):
netfilter: nftables: extend error reporting for chain updates
netfilter: nf_log: missing vlan offload tag and proto
i
Please, Cc: netfilter-de...@vger.kernel.org for your netfilter
patches, so patchwork can catch it there too next time.
On Mon, Oct 12, 2020 at 02:53:47PM +0200, Georg Kohmann wrote:
> Fragmented ndisc packets assembled in netfilter not dropped as specified
> in RFC 6980, section 5. This behaviour
2 01:58:10
+0200)
--------
Pablo Neira Ayuso (5):
netfilter: add nf_static_key_{inc,dec}
netfilter: add nf_ingress_hook() helper function
netfilter: add inet ingress support
netfilter: nf_tables: add inet ingre
Add helper function to check if this is an ingress hook.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index b9ec8ecf7e30..c82f779a587e 100644
--- a/net/netfilter
ned-off-by: longguang.yue
Signed-off-by: Julian Anastasov
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipvs/ip_vs_conn.c | 18 +++---
net/netfilter/ipvs/ip_vs_core.c | 19 +++
2 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_co
Add helper functions increment and decrement the hook static keys.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 23 +--
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3ac7c8c1548d..b9ec8ecf7e30
it easier to support this new hook in nf_tables.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter.h | 1 +
net/netfilter/core.c | 103 ++---
2 files changed, 83 insertions(+), 21 deletions(-)
diff --git a/include/uapi/linux/netfilter.h b
Make two unfront calls to pskb_may_pull() to linearize the network and
transport header.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_flow_table_core.c | 12 +++-
net/netfilter/nf_flow_table_ip.c | 45 +-
2 files changed, 30 insertions(+), 27 deletions
bound to one or more devices (through the hook
list infrastructure). This check allows to perform the same handling for
the inet ingress as it would be a netdev ingress chain from the control
plane.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6
include/net
unter inet filter
^
Error is now correctly rendered:
FAIL: oskuidcounter, want "packets 2", got
table inet filter {
counter oskuidcounter {
packets 1 bytes 84
}
}
Signed-off-by: Fabian Frederick
Signed-off-by: Pablo Neira Ayuso
---
too
Hi,
The following patchset contains Netfilter selftests fixes from
Fabian Frederick:
1) Extend selftest nft_meta.sh to check for meta cpu.
2) Fix selftest nft_meta.sh error reporting.
3) Fix shellcheck warnings in selftest nft_meta.sh.
4) Extend selftest nft_meta.sh to check for meta time.
Pl
From: Fabian Frederick
cnt was not used in nft_meta.sh
This patch also fixes 2 shellcheck SC2181 warnings:
"check exit code directly with e.g. 'if mycmd;', not indirectly with
$?."
Signed-off-by: Fabian Frederick
Signed-off-by: Pablo Neira Ayuso
---
tools/testing
From: Fabian Frederick
Check packets are correctly placed in current year.
Also do a NULL check for another one.
Signed-off-by: Fabian Frederick
Signed-off-by: Pablo Neira Ayuso
---
tools/testing/selftests/netfilter/nft_meta.sh | 10 --
1 file changed, 8 insertions(+), 2 deletions
From: Fabian Frederick
run task on first CPU with netfilter counters reset and check
cpu meta after another ping
Signed-off-by: Fabian Frederick
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
tools/testing/selftests/netfilter/nft_meta.sh | 14 ++
1 file changed
From: YueHaibing
They are not used since commit e4ff67513096 ("ipvs: add
sync_maxlen parameter for the sync daemon")
Signed-off-by: YueHaibing
Acked-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipvs/ip_vs_sync.c | 3 ---
1 file changed, 3 deletions(-)
di
From: YueHaibing
It is never used, so can be removed.
Signed-off-by: YueHaibing
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 7 ---
1 file changed, 7 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h
b/include/net/netfilter/nf_tables.h
index
ys-0 columns.
Fixes: bc92470413f3af1 ("netfilter: conntrack: add clash resolution stat
counter")
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_standalone.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(
lter: nf_tables: add userdata support for
nft_object")
Fixes: 7a81575b806e ("netfilter: nf_tables: add userdata attributes to
nft_table")
Signed-off-by: Jose M. Guisado Gomez
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(
From: "Jose M. Guisado Gomez"
When userdata support was added to tables and objects, user data coming
from user space was allocated and copied using kzalloc + nla_memcpy.
Use nla_memdup to copy userdata of tables and objects.
Signed-off-by: Jose M. Guisado Gomez
Signed-off-by: P
From: "Jose M. Guisado Gomez"
Enables storing userdata for nft_chain. Field udata points to user data
and udlen stores its length.
Adds new attribute flag NFTA_CHAIN_USERDATA.
Signed-off-by: Jose M. Guisado Gomez
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/n
y: Pablo Neira Ayuso
---
net/netfilter/ipset/ip_set_core.c | 17 +
1 file changed, 1 insertion(+), 16 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c
b/net/netfilter/ipset/ip_set_core.c
index 920b7c4331f0..6f35832f0de3 100644
--- a/net/netfilter/ipset/ip_set_core.c
+
p splat, this time between ipset and
ctnetlink subsys mutexes.
Time to place them in distinct classes to avoid these warnings.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nfnetlink.c | 19 ++-
1 file changed, 18 insertions(+), 1 dele
each time.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables_core.h | 2 ++
net/netfilter/nf_tables_core.c | 3 +--
net/netfilter/nft_cmp.c| 13 +++--
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/in
From: YueHaibing
commit 9a32669fecfb ("netfilter: nf_tables_offload: support indr block call")
left behind this.
Signed-off-by: YueHaibing
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net
: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables_core.h | 9 ++
net/netfilter/nf_tables_core.c | 12 +++
net/netfilter/nft_bitwise.c| 141 +++--
3 files changed, 156 insertions(+), 6 deletions(-)
diff --git a/include/net/netfilter/nf_tables_core.h
Hi,
The following patchset contains Netfilter updates for net-next:
1) Rename 'searched' column to 'clashres' in conntrack /proc/ stats
to amend a recent patch, from Florian Westphal.
2) Remove unused nft_data_debug(), from YueHaibing.
3) Remove unused definitions in IPVS, also from YueHaibi
On Fri, Sep 18, 2020 at 09:17:29PM +0800, YueHaibing wrote:
> commit 9a32669fecfb ("netfilter: nf_tables_offload: support indr block call")
> left behind this.
Applied.
On Wed, Sep 30, 2020 at 01:20:41PM +0100, Richard Haines wrote:
> On Wed, 2020-09-30 at 12:17 +0200, Pablo Neira Ayuso wrote:
> > On Wed, Sep 30, 2020 at 10:49:31AM +0100, Richard Haines wrote:
> > > These patches came about after looking at 5G open source in
> > > part
On Wed, Sep 30, 2020 at 10:49:31AM +0100, Richard Haines wrote:
> These patches came about after looking at 5G open source in particular
> the updated 5G GTP driver at [1]. As this driver is still under
> development, added the LSM/SELinux hooks to the current stable GTP
> version in kernel selinux
On Thu, Sep 24, 2020 at 12:17:33PM +0200, Fabian Frederick wrote:
> Check packets are correctly placed in current year.
> Also do a NULL check for another one.
Applied.
On Wed, Sep 09, 2020 at 08:25:36PM +0200, Fabian Frederick wrote:
> run task on first CPU with netfilter counters reset and check
> cpu meta after another ping
Patches from 1 to 3 in this series are now applied, thanks.
On Mon, Sep 21, 2020 at 09:24:40AM +0200, Simon Horman wrote:
> On Fri, Sep 18, 2020 at 09:16:56PM +0800, YueHaibing wrote:
> > They are not used since commit e4ff67513096 ("ipvs: add
> > sync_maxlen parameter for the sync daemon")
> >
> > Signed-off-by: YueHaibing
>
> Thanks, this look good to
Hi Lukas,
On Thu, Aug 27, 2020 at 10:55:03AM +0200, Lukas Wunner wrote:
[...]
> Overall, performance improves with this commit if neither netfilter nor
> traffic control is used. However it degrades a little if only traffic
> control is used, due to the "noinline", the additional outer static key
301 - 400 of 3693 matches
Mail list logo
