Replaced '/' between shortopt and longopt with ',' , as used by other utilities.
Signed-off-by: Piyush Pangtey
---
src/main.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/main.c b/src/main.c
index 7bbcfc4..d643970 100644
--- a/src/main.c
+++ b/src/main.c
Added translation for hbh module .
Note: Currently, --hbh-opts support dont exist in nftables .
Example :
$ ip6tables-translate -A INPUT -m hbh --hbh-len 40
nft add rule ip6 filter INPUT hbh hdrlength 40 counter
$ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 40
nft add rule ip6 filter I
Hello Pablo,
I would require some guidance regarding the libxt_multiport translation in nft.
If the translation is over ip4 family :
$ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 }
counter accep
Added translation for the match multiport.
Example :
$ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 }
counter accept
$ iptables-translate -A INPUT -p tcp -m multiport --sports http,ssh,ftp -j
ACC
Hi Jarno,
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Jarno-Rajahalme/netfilter-Remove-IP_CT_NEW_REPLY-definition/20160309-083126
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next master
config: x86_64-randconfig-s3-03091202 (att
Hi Jarno,
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Jarno-Rajahalme/netfilter-Remove-IP_CT_NEW_REPLY-definition/20160309-083126
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next master
config: x86_64-randconfig-b0-03091138 (att
Extend OVS conntrack interface to cover NAT. New nested
OVS_CT_ATTR_NAT attribute may be used to include NAT with a CT action.
A bare OVS_CT_ATTR_NAT only mangles existing and expected connections.
If OVS_NAT_ATTR_SRC or OVS_NAT_ATTR_DST is included within the nested
attributes, new (non-committed
Repeat the nf_conntrack_in() call when it returns NF_REPEAT. This
avoids dropping a SYN packet re-opening an existing TCP connection.
Signed-off-by: Jarno Rajahalme
Acked-by: Joe Stringer
---
net/openvswitch/conntrack.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --g
There is no need to help connections that are not confirmed, so we can
delay helping new connections to the time when they are confirmed.
This change is needed for NAT support, and having this as a separate
patch will make the following NAT patch a bit easier to review.
Signed-off-by: Jarno Rajaha
Only a successful nf_conntrack_in() call can effect a connection state
change, so if suffices to update the key only after the
nf_conntrack_in() returns.
This change is needed for the later NAT patches.
Signed-off-by: Jarno Rajahalme
---
net/openvswitch/conntrack.c | 7 ---
1 file changed,
This makes the code easier to understand and the following patches
more focused.
Signed-off-by: Jarno Rajahalme
---
net/openvswitch/conntrack.c | 21 -
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
inde
Add a new function ovs_ct_find_existing() to find an existing
conntrack entry for which this packet was already applied to. This is
only to be called when there is evidence that the packet was already
tracked and committed, but we lost the ct reference due to an
userspace upcall.
ovs_ct_find_exis
Remove the definition of IP_CT_NEW_REPLY from the kernel as it does
not make sense. This allows the definition of IP_CT_NUMBER to be
simplified as well.
Signed-off-by: Jarno Rajahalme
---
include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +---
net/openvswitch/conntrack.c
NAT checksum recalculation code assumes existence of skb_dst, which
becomes a problem for a later patch in the series ("openvswitch:
Interface with NAT."). Simplify this by removing the check on
skb_dst, as the checksum will be dealt with later in the stack.
Suggested-by: Pravin Shelar
Signed-of
Le 07/03/2016 14:20, Patrick McHardy a écrit :
On 05.03, christophe leroy wrote:
Hello,
I'm trying to implement support for CT HELPERs in linux kernel for
nftables and need some help/guidance.
The rule beeing 'udp dport tftp ct helper set "tftp"', I get
nft_ct_set_init() called when I add the
... else rule like vlan pcp 1-3 won't work and will be displayed
as 0-0 (reverse direction already works since range is represented
as two lte/gte compare expressions).
Signed-off-by: Florian Westphal
---
src/netlink_linearize.c | 2 ++
tests/py/bridge/vlan.t.payload| 4 ++-
Don't delete the part after the set, i.e. given
chain input {
type filter hook input priority 0; policy accept;
vlan id { 1, 2, 4, 100, 4095} vlan pcp 1-3
}
don't remove the vlan pcp 1-3 part.
This exposes following bug:
bridge/vlan.t: WARNING: line: 32:
'nft add rule --debug=netlin
Signed-off-by: Florian Westphal
---
tests/py/ip6/frag.t | 8
tests/py/ip6/frag.t.payload.inet | 38 ++
tests/py/ip6/frag.t.payload.ip6 | 30 ++
3 files changed, 72 insertions(+), 4 deletions(-)
diff --git a/t
Need to fetch the offset from the exthdr template.
Signed-off-by: Florian Westphal
---
src/netlink_linearize.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 07f70e0..49b4676 100644
--- a/src/netlink_linearize.c
+
We copy accoring to ->target|matchsize, so check that the netlink attribute
(which can include padding and might be larger) contains enough data.
Reported-by: Julia Lawall
Signed-off-by: Florian Westphal
---
net/netfilter/nft_compat.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ne
Hi Daniel,
On Tue, 8 Mar 2016, Daniel Borkmann wrote:
> On 03/08/2016 08:44 PM, Jozsef Kadlecsik wrote:
> > Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
> > was not checked explicitly, just for the maximum possible size. Malicious
> > netlink clients could send shorter
Hi Jozsef,
On 03/08/2016 08:44 PM, Jozsef Kadlecsik wrote:
Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
was not checked explicitly, just for the maximum possible size. Malicious
netlink clients could send shorter attribute and thus resulting a kernel
read after the buf
Hi Pablo,
Please apply the next patch against the nf tree:
- Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute
length was not checked explicitly. The patch adds the missing
checkings.
The patch should be applied to the older stable kernel branches too.
Best regards,
Jozsef
T
Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
was not checked explicitly, just for the maximum possible size. Malicious
netlink clients could send shorter attribute and thus resulting a kernel
read after the buffer.
The patch adds the explicit length checkings.
Reported-
From: Pablo Neira Ayuso
Date: Tue, 8 Mar 2016 11:00:40 +0100
> The following patchset contains Netfilter updates for your net-next tree,
> they are:
>
> 1) Remove useless debug message when deleting IPVS service, from
>Yannick Brosseau.
>
> 2) Get rid of compilation warning when CONFIG_PRO
Hi Pablo,
On Sat, 5 Mar 2016, Pablo Neira Ayuso wrote:
> On Mon, Feb 29, 2016 at 01:47:59PM +0100, Jozsef Kadlecsik wrote:
> > On Mon, 29 Feb 2016, Pablo Neira Ayuso wrote:
> >
> > > On Wed, Feb 24, 2016 at 09:19:26PM +0100, Jozsef Kadlecsik wrote:
> > > > Flushing/listing entries was not RCU sa
In nft's man page , instead of using '/' between shortopt and longopt in the
"SYNOPSIS" and "OPTIONS" section , use '|' and ',' respectively.
(just like the man pages of iptables, etc.)
Fixed a typo and added missing ',' .
Signed-off-by: Piyush Pangtey
---
doc/nft.xml | 32 -
On Tue, Mar 08, 2016 at 02:47:13PM +0100, Jan Engelhardt wrote:
>
> On Tuesday 2016-03-08 14:37, Pablo Neira Ayuso wrote:
> Those are the userspace bits for the old ip_queue support that was
> removed years ago, since NFQUEUE superseded for many years.
> You can still cd iptables/li
On Tuesday 2016-03-08 14:37, Pablo Neira Ayuso wrote:
Those are the userspace bits for the old ip_queue support that was
removed years ago, since NFQUEUE superseded for many years.
You can still cd iptables/libipq and type 'make' to compile the
this small userspace library sinc
On Mon, Mar 07, 2016 at 11:36:33PM +0530, Shivani Bhardwaj wrote:
> On Mon, Mar 7, 2016 at 11:30 PM, Pablo Neira Ayuso
> wrote:
> > On Mon, Mar 07, 2016 at 06:56:46PM +0100, Pablo Neira Ayuso wrote:
> >> On Mon, Mar 07, 2016 at 11:05:15PM +0530, Shivani Bhardwaj wrote:
> >> > Yes, I'll do that.
>
On Tue, Mar 08, 2016 at 11:43:31AM +0100, Carlos Falgueras García wrote:
> These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
> (nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store
> several variable length user data into an object.
Please, resubmit a
On Mon, Mar 07, 2016 at 06:10:41PM +0100, Carlos Falgueras García wrote:
> Now it is possible to store multiple variable length user data into rule.
> Modify the parser in order to fill the nftnl_udata with the comment, and the
> print function for extract these commentary and print it to user.
>
On Mon, Mar 07, 2016 at 06:10:42PM +0100, Carlos Falgueras García wrote:
> @@ -75,6 +81,8 @@ void nftnl_rule_free(struct nftnl_rule *r)
> xfree(r->table);
> if (r->chain != NULL)
> xfree(r->chain);
> + if (r->flags & (1 << NFTNL_RULE_USERDATA))
> +
On 2016-03-08 12:06, Florian Westphal wrote:
>> My hot-fix to prevent the crash is to instead of passing the skb to NF_HOOK
>> directly pass it to br_handle_local_finish(). But having insufficient
>> insight into
>> what is going on there, this is fighting the symptoms rather than solving
>> the
Zefir Kurtisi wrote:
> > Reproducing the crash
> > 1. build the firmware for the system to test
> >* use default configuration
> >* ensure to select CONFIG_BRIDGE_NETFILTER in kernel_menuconfig
> > 2. boot the device and access it over serial
> > 3. ensure br-lan bridge has at least two ac
On Mon, Mar 07, 2016 at 10:21:44PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables. Not supported types in nftables
These are actually icmp codes that we don't support yet, right?
> are: any, network-unreachable, host-unreachable, protocol-unreachable,
> port-unreachable
Hi Laura,
On Mon, Mar 07, 2016 at 10:22:55PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmpv6 to nftables. Not supported types in nftables
> are: no-route, communication-prohibited, beyond-scope,
> address-unreachable, port-unreachable, failed-policy, reject-route,
> ttl-zero-during
These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
(nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store
several variable length user data into an object.
Example usage:
```
struct nftnl_udata_buf *buf;
struct nftnl_udata *attr;
On Tue, Mar 08, 2016 at 10:58:19AM +0100, Carlos Falgueras García wrote:
> On 02/03/16 19:37, Pablo Neira Ayuso wrote:
> >On Mon, Feb 29, 2016 at 05:25:40PM +0100, Carlos Falgueras García wrote:
> >>diff --git a/src/rule.c b/src/rule.c
> >>index 18ff592..499fa7b 100644
> >>--- a/src/rule.c
> >>+++
On Tue, Mar 08, 2016 at 10:58:11AM +0100, Carlos Falgueras García wrote:
> On 02/03/16 19:41, Pablo Neira Ayuso wrote:
> >You can consolidate these two functions into one using the NFTNL_BUF_*
> >API.
>
> If I wrap these functions in this patch, the new code structure will differ
> from the one al
On Tue, Mar 08, 2016 at 10:57:50AM +0100, Carlos Falgueras García wrote:
> On 02/03/16 19:32, Pablo Neira Ayuso wrote:
> >On Mon, Feb 29, 2016 at 05:25:38PM +0100, Carlos Falgueras García wrote:
> >>diff --git a/include/attr.h b/include/attr.h
> >>new file mode 100644
> >>index 000..2a29fa0
> >
From: Florian Westphal
This moves bridge hooks to a register-when-needed scheme.
We use a device notifier to register the 'call-iptables' netfilter hooks
only once a bridge gets added.
This means that if the initial namespace uses a bridge, newly created
network namespaces no longer get the PRE
From: Florian Westphal
This change prepares for upcoming on-demand xtables hook registration.
We change the protoypes of the register/unregister functions.
A followup patch will then add nf_hook_register/unregister calls
to the iptables one.
Once a hook is registered packets will be picked up,
From: Joe Stringer
Since commit 0848f6428ba3 ("inet: frags: fix defragmented packet's IP
header for af_packet"), ip_send_check() would be called twice for
defragmentation that occurs from netfilter ipv4 defrag hooks. Remove the
extra call.
Signed-off-by: Joe Stringer
Signed-off-by: Pablo Neira
From: Arnd Bergmann
The proc_create() and remove_proc_entry() functions do not reference
their arguments when CONFIG_PROC_FS is disabled, so we get a couple
of warnings about unused variables in IPVS:
ipvs/ip_vs_app.c:608:14: warning: unused variable 'net' [-Wunused-variable]
ipvs/ip_vs_ctl.c:39
From: Florian Westphal
Can be used to randomly match packets e.g. for statistic traffic sampling.
See commit 3ad0040573b0c00f8848
("bpf: split state from prandom_u32() and consolidate {c, e}BPF prngs")
for more info why this doesn't use prandom_u32 directly.
Unlike bpf nft_meta can be built as
Complete masquerading support by allowing port range selection.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nft_masq.h | 4 ++-
include/uapi/linux/netfilter/nf_tables.h | 4 +++
net/ipv4/netfilter/nft_masq_ipv4.c | 7 -
net/ipv6/netfilter/nft_masq_ipv6.c
From: Sudip Mukherjee
While building with W=1 we got the warning:
net/netfilter/xt_osf.c:265:9: warning: variable 'loop_cont' set but not used
The local variable loop_cont was only initialized and then assigned a
value but was never used or checked after that.
While removing the variable, the ca
From: Florian Westphal
delay hook registration until the table is being requested inside a
namespace.
Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.
When netns support was added to iptables only the ip/ip6tables ruleset was
made namespac
From: Yannick Brosseau
This have been there for a long time, but does not seem to add value
Signed-off-by: Yannick Brosseau
Signed-off-by: Simon Horman
---
net/netfilter/ipvs/ip_vs_ctl.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/i
From: Florian Westphal
With the previous patches in place, a netns nf_hook_list might be empty,
even if e.g. init_net performs filtering.
Thus change nf_hook_thresh to check the hook_list as well before
initializing hook_state and calling nf_hook_slow().
We still make use of static keys; if no
Hi David,
The following patchset contains Netfilter updates for your net-next tree,
they are:
1) Remove useless debug message when deleting IPVS service, from
Yannick Brosseau.
2) Get rid of compilation warning when CONFIG_PROC_FS is unset in
several spots of the IPVS code, from Arnd Bergm
On 02/03/16 19:37, Pablo Neira Ayuso wrote:
On Mon, Feb 29, 2016 at 05:25:40PM +0100, Carlos Falgueras García wrote:
diff --git a/src/rule.c b/src/rule.c
index 18ff592..499fa7b 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -23,6 +23,7 @@
#include
#include
+#include
#include
#include
On 02/03/16 19:32, Pablo Neira Ayuso wrote:
On Mon, Feb 29, 2016 at 05:25:38PM +0100, Carlos Falgueras García wrote:
diff --git a/include/attr.h b/include/attr.h
new file mode 100644
index 000..2a29fa0
--- /dev/null
+++ b/include/attr.h
@@ -0,0 +1,40 @@
+#ifndef _LIBNFTNL_ATTR_INTERNAL_H_
+#
On 02/03/16 19:41, Pablo Neira Ayuso wrote:
On Mon, Feb 29, 2016 at 05:25:39PM +0100, Carlos Falgueras García wrote:
Please, wrap these code below into a function, eg. nftnl_jansson_udata_parse()
+ array = json_object_get(root, "userdata");
+ if (array == NULL) {
+ er
55 matches
Mail list logo