Re: [PATCH v2] extensions: libxt_multiport: Add translation to nft

On Tue, May 31, 2016 at 12:08:57AM +0200, Arturo Borrero Gonzalez wrote: > On 30 May 2016 at 21:47, Laura Garcia Liebana wrote: > > Add translation for multiport to nftables, which it's supported natively. > > > > Examples: > > > > $ sudo iptables-translate -t filter -A INPUT -p

Re: [PATCH v2] extensions: libxt_multiport: Add translation to nft

On 30 May 2016 at 21:47, Laura Garcia Liebana wrote: > Add translation for multiport to nftables, which it's supported natively. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports > 80,81 -j ACCEPT > nft add rule ip filter INPUT ip

[PATCH v2] extensions: libxt_multiport: Add translation to nft

Add translation for multiport to nftables, which it's supported natively. Examples: $ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80,81 -j ACCEPT nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,81} counter accept $ sudo iptables-translate -t filter -A

Re: kernel 4.5.1 issue at system boot

On 30 May 2016 at 19:22, Pablo Neira Ayuso wrote: > On Mon, May 23, 2016 at 12:08:11PM +0200, Florian Westphal wrote: >> Arturo Borrero Gonzalez wrote: >> > On 23 May 2016 at 08:49, Arturo Borrero Gonzalez >> >

Re: [PATCH] extensions: libxt_multiport: Add translation to nft

On 30 May 2016 at 20:27, Laura Garcia Liebana wrote: > Add translation for multiport to nftables, which it's supported natively. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports > 80,81 -j ACCEPT > nft add rule ip filter INPUT ip

Re: [PATCH 1/2 nft] parser: Centralize commentary rule

Applied, thanks. I have rewritten the email subject, the typical jargon word for this is "consolidation" instead of centralize. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH 2/2 nft] parser: Check commentaries length

On Mon, May 30, 2016 at 06:35:40PM +0200, Carlos Falgueras García wrote: > Checks the commentary maximum length and reports to user in case of error. Also applied and I have rewritten the subject and description too to indicate why we need this check. -- To unsubscribe from this list: send the

Re: kernel 4.5.1 issue at system boot

On Mon, May 23, 2016 at 12:08:11PM +0200, Florian Westphal wrote: > Arturo Borrero Gonzalez wrote: > > On 23 May 2016 at 08:49, Arturo Borrero Gonzalez > > wrote: > > > This was in the log of my system boot today: > > > > > > >

Re: [PATCH libnfntl] Check all strdup

On Mon, May 30, 2016 at 07:03:42PM +0200, Carlos Falgueras García wrote: > diff --git a/src/set.c b/src/set.c > index dbea93b..65b8f1e 100644 > --- a/src/set.c > +++ b/src/set.c > @@ -291,10 +295,16 @@ struct nftnl_set *nftnl_set_clone(const struct > nftnl_set *set) > > memcpy(newset,

[PATCH libnfntl] Check all strdup

Check all strdup possible error and treat it consequently. Signed-off-by: Carlos Falgueras García --- src/chain.c | 12 src/expr/data_reg.c | 6 ++ src/expr/dynset.c| 4 src/expr/immediate.c | 2 ++ src/expr/log.c | 4

[PATCH 2/2 nft] parser: Check commentaries length

Checks the commentary maximum length and reports to user in case of error. Example: > nft add table t > nft add chain t c > nft add rule t c ip saddr 1.1.1.1 counter comment "abc...xyz" # len > 128 :1:47-N: Error: Comment too long. 128 characters maximum allowed add rule t c ip saddr 1.1.1.1

[PATCH 1/2 nft] parser: Centralize commentary rule

It make more sense if this rule can not be empty, so it can be used both as mandatory as optional. The higher rule should choice use it in a way or another. Signed-off-by: Carlos Falgueras García --- src/parser_bison.y | 25 +++-- 1 file changed, 15

Re: [PATCH nft] parser: Check commentaries length

Thanks for the feedback, I will send now two new patches with the corrections. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] parser: Check commentaries length

On Mon, May 30, 2016 at 05:41:00PM +0200, Carlos Falgueras García wrote: > Checks the commentary maximum length and reports to user in case of error. > > The commentary rule of the parser was simplified in order to centralize the > length checking. > > Signed-off-by: Carlos Falgueras García

[PATCH nft] parser: Check commentaries length

Checks the commentary maximum length and reports to user in case of error. The commentary rule of the parser was simplified in order to centralize the length checking. Signed-off-by: Carlos Falgueras García --- include/parser.h | 6 ++ src/parser_bison.y | 31

[ANNOUNCE] libnftnl 1.0.6 release

Hi! The Netfilter project proudly presents: libnftnl 1.0.6 libnftnl is a userspace library providing a low-level netlink programming interface (API) to the in-kernel nf_tables subsystem. The library libnftnl has been previously known as libnftables. This library is currently used by the

Re: [PATCH nf] netfilter: nf_ct_helper: bail out on duplicated ports

On Wed, May 25, 2016 at 11:13:57AM +0200, Pablo Neira Ayuso wrote: > Compare the helper name up to the dash, so we can catch if the user has > supplied duplicated ports via module parameters. > > Reported-by: Feng Gao > Reported-by: Taehee Yoo >

Re: [PATCH nft 1/3] datatype: fix parsing of tchandle type

On Sun, May 29, 2016 at 06:08:07PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Properly detect tchandle strings in the lexer without quotation marks, > otherwise nft will complain the syntax error like this: > > # nft add rule filter test meta priority set

Re: [PATCH nft] parser: fix crash if we add a chain with an error chain type

On Sun, May 29, 2016 at 07:25:37PM +0800, Liping Zhang wrote: > From: Liping Zhang > > If we add a chain and specify the nonexistent chain type, > chain_type_name_lookup > will return a NULL pointer, and meet the assert condition in xstrdup. > Fix crash like this: >

Re: [PATCH nft 3/3] meta: fix a format error display when we set priority to root or none

On Sun, May 29, 2016 at 06:08:09PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Also delete the redundant '\n'. > This fixes: > > # nft add rule filter test meta priority set root > # nft list chain filter test > table ip filter { > chain test { >

Re: [PATCH nft 2/3] meta: fix endianness in priority

On Sun, May 29, 2016 at 06:08:08PM +0800, Liping Zhang wrote: > From: Liping Zhang > > For example, after we add rule to set priority 1:2, it will be displayed in > network > byte order as 0200:0100, this is wrong: > > # nft add rule filter test meta priority set

Re: [PATCH 2/2 nft] set_elem: Use libnftnl/udata to store set element comment

On Fri, May 27, 2016 at 04:56:55PM +0200, Carlos Falgueras García wrote: > The set element comment is stored in nftnl_set_elem->user.data using > libnftnl/udata infrastructure. This allows store multiple variable length > user data into set element. Applied, thanks. -- To unsubscribe from this

Re: [PATCH 1/2 libnftnl] set_elem: Copy user data memory

On Fri, May 27, 2016 at 04:56:54PM +0200, Carlos Falgueras García wrote: > All attributes are passed by copy, so user data should be copied too. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org

Re: [PATCH nf] netfilter: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags

On Thu, May 26, 2016 at 07:08:10PM +0200, Paolo Abeni wrote: > With the commit 48e8aa6e3137 ("ipv6: Set FLOWI_FLAG_KNOWN_NH at > flowi6_flags") ip6_pol_route() callers were asked to to set the > FLOWI_FLAG_KNOWN_NH properly and xt_TEE was updated accordingly, > but with the later refactor in

Re: [PATCH -v2 4/6] locking, arch: Update spin_unlock_wait()

On Fri, May 27, 2016 at 03:34:13PM -0400, Chris Metcalf wrote: > >Does TILE never speculate reads? Because in that case the control > >dependency already provides a full load->load,store barrier and you'd > >want smp_acquire__after_ctrl_dep() to be a barrier() instead of > >smp_rmb(). > > Yes,