Yigal Reiss (yreiss) wrote:
> Currently the "fail-open" feature in NFQUEUE passes packets only in the case
> where the limit comes from the queue size (queue->queue_total >=
> queue->queue_maxlen).
Right.
> In case where the qlen is high and the load is high, packets will be dropped
> as resu
On 11 March 2016 at 07:54, Jarno Rajahalme wrote:
> Extend OVS conntrack interface to cover NAT. New nested
> OVS_CT_ATTR_NAT attribute may be used to include NAT with a CT action.
> A bare OVS_CT_ATTR_NAT only mangles existing and expected connections.
> If OVS_NAT_ATTR_SRC or OVS_NAT_ATTR_DST i
On Thu, Mar 10, 2016 at 05:36:30PM -0500, David Miller wrote:
> >
> > Works like a charm! So David, what are the next steps then?
> > Mind to gather all your patches into one (maybe)?
>
> I'll re-review all of the changes tomorrow and also look into ipv6
> masq, to see if it needs the same treatm
From: Cyrill Gorcunov
Date: Fri, 11 Mar 2016 00:59:59 +0300
> On Fri, Mar 11, 2016 at 12:19:45AM +0300, Cyrill Gorcunov wrote:
>> >
>> > Oh yes they do, from masq's non-inet notifier. masq registers two
>> > notifiers, one for generic netdev and one for inetdev.
>>
>> Thanks a huge David! I'll
Thanks for the reviews, Joe!
Now we have acks for the patches 3-8, but not for 1 and 2 that touch netfilter
proper. Who could review those?
Jarno
> On Mar 10, 2016, at 2:01 PM, Joe Stringer wrote:
>
> On 11 March 2016 at 07:54, Jarno Rajahalme wrote:
>> There is no need to help connections
On 11 March 2016 at 07:54, Jarno Rajahalme wrote:
> There is no need to help connections that are not confirmed, so we can
> delay helping new connections to the time when they are confirmed.
> This change is needed for NAT support, and having this as a separate
> patch will make the following NAT
On 11 March 2016 at 07:54, Jarno Rajahalme wrote:
> This makes the code easier to understand and the following patches
> more focused.
>
> Signed-off-by: Jarno Rajahalme
Acked-by: Joe Stringer
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message
On Fri, Mar 11, 2016 at 12:19:45AM +0300, Cyrill Gorcunov wrote:
> >
> > Oh yes they do, from masq's non-inet notifier. masq registers two
> > notifiers, one for generic netdev and one for inetdev.
>
> Thanks a huge David! I'll test it just to be sure.
Works like a charm! So David, what are the
Modify nft-rule-test.c to check TLV attribute inclusion in nftnl_rule.
Add "*-rule-udata.[json|xml]" to check parsers.
Signed-off-by: Carlos Falgueras García
---
tests/jsonfiles/71-rule-udata.json | 1 +
tests/nft-rule-test.c | 21 +
tests/xmlfiles/82-rule-udata
Now is it possible to store multiple variable length user data into a rule.
Modify XML and JSON parsers to support this new feature.
Signed-off-by: Carlos Falgueras García
---
include/json.h | 7 ++
include/utils.h | 2 +
include/xml.h | 6 ++
src/jansson.c | 66 +++
src/
Now it is possible to store multiple variable length user data into rule.
Modify the parser in order to fill the nftnl_udata with the comment, and
the print function for extract these commentary and print it to user.
Signed-off-by: Carlos Falgueras García
---
include/rule.h| 11 +
These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
(nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store
several variable length user data into an object.
Example usage:
```
struct nftnl_udata_buf *buf;
struct nftnl_udata *attr;
Thanks for the feedback;
On 08/03/16 14:13, Pablo Neira Ayuso wrote:
On Mon, Mar 07, 2016 at 06:10:41PM +0100, Carlos Falgueras García wrote:
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 05ade0f..ed1b63a 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -24,6 +24,7 @@
Thanks for the feedback.
On 08/03/16 14:04, Pablo Neira Ayuso wrote:
On Mon, Mar 07, 2016 at 06:10:42PM +0100, Carlos Falgueras García wrote:
@@ -75,6 +81,8 @@ void nftnl_rule_free(struct nftnl_rule *r)
xfree(r->table);
if (r->chain != NULL)
xfree(r->chai
On Thu, Mar 10, 2016 at 04:05:21PM -0500, David Miller wrote:
> >
> > and nobody calls for nf_ct_iterate_cleanup, no?
>
> Oh yes they do, from masq's non-inet notifier. masq registers two
> notifiers, one for generic netdev and one for inetdev.
Thanks a huge David! I'll test it just to be sure.
On Thu, Mar 10, 2016 at 11:55 AM, David Miller wrote:
> Indeed, good catch. Therefore:
>
> 1) Keep the masq netdev notifier. That will flush the conntrack table
>for the inetdev_destroy event.
>
> 2) Make the inetdev notifier only do something if inetdev->dead is
>false. (ie. we are flu
From: Cyrill Gorcunov
Date: Thu, 10 Mar 2016 23:13:51 +0300
> On Thu, Mar 10, 2016 at 03:03:11PM -0500, David Miller wrote:
>> From: Cyrill Gorcunov
>> Date: Thu, 10 Mar 2016 23:01:34 +0300
>>
>> > On Thu, Mar 10, 2016 at 02:55:43PM -0500, David Miller wrote:
>> >> >
>> >> > Hmm, but inetdev_d
On Thu, Mar 10, 2016 at 11:13:51PM +0300, Cyrill Gorcunov wrote:
> >
> > Both notifiers are run in the inetdev_destroy() case.
> >
> > Maybe that's what you are missing.
>
> No :) Look, here is what I mean. Previously with your two patches
> we've been calling nf-cleanup for every address, so we
On Thu, Mar 10, 2016 at 03:03:11PM -0500, David Miller wrote:
> From: Cyrill Gorcunov
> Date: Thu, 10 Mar 2016 23:01:34 +0300
>
> > On Thu, Mar 10, 2016 at 02:55:43PM -0500, David Miller wrote:
> >> >
> >> > Hmm, but inetdev_destroy() is only called when NETDEV_UNREGISTER
> >> > is happening and
From: Cyrill Gorcunov
Date: Thu, 10 Mar 2016 23:01:34 +0300
> On Thu, Mar 10, 2016 at 02:55:43PM -0500, David Miller wrote:
>> >
>> > Hmm, but inetdev_destroy() is only called when NETDEV_UNREGISTER
>> > is happening and masq already registers a netdev notifier...
>>
>> Indeed, good catch. The
On Thu, Mar 10, 2016 at 02:55:43PM -0500, David Miller wrote:
> >
> > Hmm, but inetdev_destroy() is only called when NETDEV_UNREGISTER
> > is happening and masq already registers a netdev notifier...
>
> Indeed, good catch. Therefore:
>
> 1) Keep the masq netdev notifier. That will flush the c
From: Cong Wang
Date: Thu, 10 Mar 2016 11:02:28 -0800
> On Thu, Mar 10, 2016 at 10:01 AM, David Miller wrote:
>> I'm tempted to say that we should provide these notifier handlers with
>> the information they need, explicitly, to handle this case.
>>
>> Most intdev notifiers actually want to know
On Thu, Mar 10, 2016 at 10:01 AM, David Miller wrote:
> I'm tempted to say that we should provide these notifier handlers with
> the information they need, explicitly, to handle this case.
>
> Most intdev notifiers actually want to know the individual addresses
> that get removed, one by one. Tha
There is no need to help connections that are not confirmed, so we can
delay helping new connections to the time when they are confirmed.
This change is needed for NAT support, and having this as a separate
patch will make the following NAT patch a bit easier to review.
Signed-off-by: Jarno Rajaha
Thanks for the reviews Joe! Comments below.
> On Mar 9, 2016, at 7:47 PM, Joe Stringer wrote:
>
> Hi Jarno,
>
> Thanks for working on this. Mostly just a few style things around #ifdefs
> below.
>
> On 9 March 2016 at 15:10, Jarno Rajahalme wrote:
>> Extend OVS conntrack interface to cover N
Repeat the nf_conntrack_in() call when it returns NF_REPEAT. This
avoids dropping a SYN packet re-opening an existing TCP connection.
Signed-off-by: Jarno Rajahalme
Acked-by: Joe Stringer
---
net/openvswitch/conntrack.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --g
Add a new function ovs_ct_find_existing() to find an existing
conntrack entry for which this packet was already applied to. This is
only to be called when there is evidence that the packet was already
tracked and committed, but we lost the ct reference due to an
userspace upcall.
ovs_ct_find_exis
This series adds NAT support to openvswitch kernel module. A few
changes are needed to the netfilter code to facilitate this (patches
1-2/8). Patches 3-7 make the openvswitch kernel module ready for the
patch 8 that adds the NAT support by calling into netfilter NAT code
from the openvswitch conn
Extend OVS conntrack interface to cover NAT. New nested
OVS_CT_ATTR_NAT attribute may be used to include NAT with a CT action.
A bare OVS_CT_ATTR_NAT only mangles existing and expected connections.
If OVS_NAT_ATTR_SRC or OVS_NAT_ATTR_DST is included within the nested
attributes, new (non-committed
Only a successful nf_conntrack_in() call can effect a connection state
change, so it suffices to update the key only after the
nf_conntrack_in() returns.
This change is needed for the later NAT patches.
Signed-off-by: Jarno Rajahalme
Acked-by: Joe Stringer
---
net/openvswitch/conntrack.c | 7 +
Remove the definition of IP_CT_NEW_REPLY from the kernel as it does
not make sense. This allows the definition of IP_CT_NUMBER to be
simplified as well.
Signed-off-by: Jarno Rajahalme
---
include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +---
net/openvswitch/conntrack.c
This makes the code easier to understand and the following patches
more focused.
Signed-off-by: Jarno Rajahalme
---
net/openvswitch/conntrack.c | 21 -
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
inde
NAT checksum recalculation code assumes existence of skb_dst, which
becomes a problem for a later patch in the series ("openvswitch:
Interface with NAT."). Simplify this by removing the check on
skb_dst, as the checksum will be dealt with later in the stack.
Suggested-by: Pravin Shelar
Signed-of
On Thu, Mar 10, 2016 at 01:01:38PM -0500, David Miller wrote:
> From: Cyrill Gorcunov
> Date: Thu, 10 Mar 2016 18:09:20 +0300
>
> > On Thu, Mar 10, 2016 at 02:03:24PM +0300, Cyrill Gorcunov wrote:
> >> On Thu, Mar 10, 2016 at 01:20:18PM +0300, Cyrill Gorcunov wrote:
> >> > On Thu, Mar 10, 2016 at
On Wed, Mar 09, 2016 at 12:42:45PM +0530, FaTe wrote:
> Added translation for hbh module .
>
> Note: Currently, --hbh-opts support dont exist in nftables .
>
> Example :
> $ ip6tables-translate -A INPUT -m hbh --hbh-len 40
> nft add rule ip6 filter INPUT hbh hdrlength 40 counter
>
> $ sudo ip6t
> On Mar 10, 2016, at 4:00 AM, Thomas Graf wrote:
>
> On 03/09/16 at 07:47pm, Joe Stringer wrote:
>> On 9 March 2016 at 15:10, Jarno Rajahalme wrote:
>>> Extend OVS conntrack interface to cover NAT. New nested
>>> OVS_CT_ATTR_NAT attribute may be used to include NAT with a CT action.
>>> A bar
Thanks for pointing this out, v10, which hope is the final version, will have
the cover letter back.
Jarno
> On Mar 10, 2016, at 1:16 AM, Or Gerlitz wrote:
>
> On Wed, Mar 9, 2016 at 2:24 AM, Jarno Rajahalme wrote:
>> Remove the definition of IP_CT_NEW_REPLY from the kernel as it does
>> no
On Thu, Mar 10, 2016 at 05:17:46PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables. Not supported types in nftables
Please, this should be "Not supported icmp codes in nftables" instead.
> are: any, network-unreachable, host-unreachable, protocol-unreachable,
'any' is e
On Fri, Mar 11, 2016 at 12:02:25AM +0530, Shivani Bhardwaj wrote:
> On Thu, Mar 10, 2016 at 11:45 PM, Laura Garcia Liebana
> wrote:
> > Avoid to print the log level in the translation when the level is the
> > default value.
> >
> > Example:
> >
> > $ sudo iptables-translate -t filter -A INPUT -m
On Thu, Mar 10, 2016 at 07:15:40PM +0100, Laura Garcia Liebana wrote:
> Avoid to print the log level in the translation when the level is the
> default value.
>
> Example:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
> nft add rule ip filter INPUT icmp type !=
On Thu, Mar 10, 2016 at 11:45 PM, Laura Garcia Liebana wrote:
> Avoid to print the log level in the translation when the level is the
> default value.
>
> Example:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
> nft add rule ip filter INPUT icmp type != router-so
On Thu, Mar 10, 2016 at 06:20:48PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport
>
> Examples :
> $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
> nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp
> sport
> { ssh - http }
On Tue, Mar 08, 2016 at 08:44:19PM +0100, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please apply the next patch against the nf tree:
>
> - Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute
> length was not checked explicitly. The patch adds the missing
> checkings.
>
> The patch
On Tue, Mar 08, 2016 at 08:27:30PM +0100, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> On Sat, 5 Mar 2016, Pablo Neira Ayuso wrote:
>
> > On Mon, Feb 29, 2016 at 01:47:59PM +0100, Jozsef Kadlecsik wrote:
> > > On Mon, 29 Feb 2016, Pablo Neira Ayuso wrote:
> > >
> > > > On Wed, Feb 24, 2016 at 09:19:2
Avoid to print the log level in the translation when the level is the
default value.
Example:
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
nft add rule ip filter INPUT icmp type != router-solicitation counter log
Signed-off-by: Laura Garcia Liebana
---
extension
From: Cyrill Gorcunov
Date: Thu, 10 Mar 2016 18:09:20 +0300
> On Thu, Mar 10, 2016 at 02:03:24PM +0300, Cyrill Gorcunov wrote:
>> On Thu, Mar 10, 2016 at 01:20:18PM +0300, Cyrill Gorcunov wrote:
>> > On Thu, Mar 10, 2016 at 12:16:29AM +0300, Cyrill Gorcunov wrote:
>> > >
>> > > Thanks for explan
On Thu, Mar 10, 2016 at 06:00:01PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Wed, Mar 09, 2016 at 12:04:21AM +0100, Florian Westphal wrote:
> > > We copy accoring to ->target|matchsize, so check that the netlink
> > > attribute
> > > (which can include padding and might be
Add the --disable-connlabel option and the appropriate functionality
associated with it.
After this patch, iptables configuration shows up as:
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support:ye
Pablo Neira Ayuso wrote:
> On Wed, Mar 09, 2016 at 12:04:21AM +0100, Florian Westphal wrote:
> > We copy accoring to ->target|matchsize, so check that the netlink attribute
> > (which can include padding and might be larger) contains enough data.
> >
> > Reported-by: Julia Lawall
> > Signed-off-
On Wed, Mar 09, 2016 at 12:04:21AM +0100, Florian Westphal wrote:
> We copy accoring to ->target|matchsize, so check that the netlink attribute
> (which can include padding and might be larger) contains enough data.
>
> Reported-by: Julia Lawall
> Signed-off-by: Florian Westphal
I think xt_chec
On Mon, Mar 07, 2016 at 12:03:30PM +0900, Simon Horman wrote:
> Hi Pablo,
>
> please consider these IPVS fixes for v4.5 or
> if it is too late please consider them for v4.6.
Pulled into nf-next, thanks Simon!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the bod
Ben Hawkes says:
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.
Problem is that xt_entry_for
On Thu, Mar 10, 2016 at 06:41:24AM -0800, Ben Hawkes wrote:
> On Thu, Mar 10, 2016 at 6:12 AM, Pablo Neira Ayuso
> wrote:
> > On Thu, Mar 10, 2016 at 01:56:02AM +0100, Florian Westphal wrote:
> >> Ben Hawkes says:
> >>
> >> In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
>
Add translation for icmp to nftables. Not supported types in nftables
are: any, network-unreachable, host-unreachable, protocol-unreachable,
port-unreachable, fragmentation-needed, source-route-failed,
network-unknown, host-unknown, network-prohibited, host-prohibited,
TOS-network-unreachable, TOS-
Add translation for icmp to nftables. Not supported types in nftables
are: any, network-unreachable, host-unreachable, protocol-unreachable,
port-unreachable, fragmentation-needed, source-route-failed,
network-unknown, host-unknown, network-prohibited, host-prohibited,
TOS-network-unreachable, TOS-
On Thu, Mar 10, 2016 at 02:03:24PM +0300, Cyrill Gorcunov wrote:
> On Thu, Mar 10, 2016 at 01:20:18PM +0300, Cyrill Gorcunov wrote:
> > On Thu, Mar 10, 2016 at 12:16:29AM +0300, Cyrill Gorcunov wrote:
> > >
> > > Thanks for explanation, Dave! I'll continue on this task tomorrow
> > > tryin to impl
On Thu, Mar 10, 2016 at 6:12 AM, Pablo Neira Ayuso wrote:
> On Thu, Mar 10, 2016 at 01:56:02AM +0100, Florian Westphal wrote:
>> Ben Hawkes says:
>>
>> In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
>> is possible for a user-supplied ipt_entry structure to have a large
>>
On Thu, Mar 10, 2016 at 01:56:02AM +0100, Florian Westphal wrote:
> Ben Hawkes says:
>
> In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
> is possible for a user-supplied ipt_entry structure to have a large
> next_offset field. This field is not bounds checked prior to wr
Arturo Borrero Gonzalez wrote:
> Reported by Debian lintian tool.
>
> Signed-off-by: Arturo Borrero Gonzalez
> ---
> extensions/libxt_rpfilter.man |2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I pushed both patches to iptables master, thanks Arturo!
--
To unsubscribe from this lis
Added full translation for multiport
Examples :
$ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
{ ssh - http } counter accept
$ iptables-translate -A input -p sctp -m multiport --dports 11
Signed-off-by: Patrick McHardy
---
src/trace.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/trace.c b/src/trace.c
index 9655f0a..849003b 100644
--- a/src/trace.c
+++ b/src/trace.c
@@ -208,6 +208,7 @@ const char *nftnl_trace_get_str(const struct nftnl_trace
*trace, uint16_t type)
On 03/09/16 at 07:47pm, Joe Stringer wrote:
> On 9 March 2016 at 15:10, Jarno Rajahalme wrote:
> > Extend OVS conntrack interface to cover NAT. New nested
> > OVS_CT_ATTR_NAT attribute may be used to include NAT with a CT action.
> > A bare OVS_CT_ATTR_NAT only mangles existing and expected conne
Reported by Debian lintian tool.
Signed-off-by: Arturo Borrero Gonzalez
---
iptables/xtables-arp.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 26ece01..346bece 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtab
Reported by Debian lintian tool.
Signed-off-by: Arturo Borrero Gonzalez
---
extensions/libxt_rpfilter.man |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_rpfilter.man b/extensions/libxt_rpfilter.man
index f7f56d2..a3c0fcd 100644
--- a/extensions/libxt_rpfi
On Wed, Mar 09, 2016 at 07:53:07PM +0100, Laura Garcia Liebana wrote:
> Enable support for router-advertisement and router-solicitation icmp types in
> nft.
>
> Example:
> $ sudo nft add rule ip filter input icmp type router-advertisement counter
> accept
> $ sudo nft add rule ip filter input ic
On Wed, Mar 09, 2016 at 12:09:45AM +0100, Florian Westphal wrote:
> Signed-off-by: Florian Westphal
Thanks for these fixes Florian.
Acked-by: Pablo Neira Ayuso
for the entire series.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to major
On Thu, Mar 10, 2016 at 01:20:18PM +0300, Cyrill Gorcunov wrote:
> On Thu, Mar 10, 2016 at 12:16:29AM +0300, Cyrill Gorcunov wrote:
> >
> > Thanks for explanation, Dave! I'll continue on this task tomorrow
> > tryin to implement optimization you proposed.
>
> OK, here are the results for the prel
On Thu, Mar 10, 2016 at 12:16:29AM +0300, Cyrill Gorcunov wrote:
>
> Thanks for explanation, Dave! I'll continue on this task tomorrow
> tryin to implement optimization you proposed.
OK, here are the results for the preliminary patch with conntrack running
---
[root@s125 ~]# ./exploit.sh
START 4
On Wed, Mar 9, 2016 at 2:24 AM, Jarno Rajahalme wrote:
> Remove the definition of IP_CT_NEW_REPLY from the kernel as it does
> not make sense. This allows the definition of IP_CT_NUMBER to be
> simplified as well.
I just realized that after V7 you stopped sending cover letter (patch 0/N)
with th
69 matches
Mail list logo