[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ]
The dummy ruleset I used to test the original validation change was broken,
most rules were unreachable and were not tested by mark_source_chains().
In some cases rulesets that used to load in a few seconds now require
several minutes.
[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ]
The dummy ruleset I used to test the original validation change was broken,
most rules were unreachable and were not tested by mark_source_chains().
In some cases rulesets that used to load in a few seconds now require
several minutes.
[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ]
The dummy ruleset I used to test the original validation change was broken,
most rules were unreachable and were not tested by mark_source_chains().
In some cases rulesets that used to load in a few seconds now require
several minutes.
[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ]
The dummy ruleset I used to test the original validation change was broken,
most rules were unreachable and were not tested by mark_source_chains().
In some cases rulesets that used to load in a few seconds now require
several minutes.
Pablo Neira Ayuso wrote:
> On Wed, Jul 27, 2016 at 02:43:09AM +0200, Florian Westphal wrote:
> > This series adds support for setting ipv6 flowlabel and e.g.
> > ecn/dscp header fields for ipv4 and ipv6 by adding the needed
> > bitwise ops (and removing them during netlink
Pablo Neira Ayuso wrote:
> On Wed, Jul 27, 2016 at 02:43:12AM +0200, Florian Westphal wrote:
> > 'ip6 ecn set 1' will generate a zero-sized write operation.
> > Just like when matching on bit-sized header fields we need to
> > round up to a byte-sized quantity and add a mask
On Wed, Jul 27, 2016 at 04:17:33AM +0200, Florian Westphal wrote:
> During NFWS we discussed reducing the number of keywords in nftables.
>
> Obviously keywords are required for the parser to know what to expect.
>
> But always requiring the 'meta' keyword would allow us to handle
> iif, oif,
On Tue, Jul 26, 2016 at 03:14:22PM +0100, Sami Kerola wrote:
> The footnote clarification to option argument documentation, so keep the
> indentation level same as for the arguments.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
On Sat, Jul 30, 2016 at 01:20:59PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> In iptables, "-i eth+" means match all in ifname with the prefix "eth".
> But in nftables, this was changed to "iifname eth*". So we should handle
> this subtle difference.
>
>
nft already assumes that passing NULL as data_len is valid, otherwise
it crashes. Fix this by leave data_len unset in this specific case.
Fixes: bda7102 ("src: Fix nftnl_*_get_data() to return the real attribute
length")
Signed-off-by: Pablo Neira Ayuso
---
If we find a matching element that is inactive with no descendants, we
jump to the found label, then crash because of nul-dereference on the
left branch.
Fix this by checking that the element is active and not an interval end
and skipping the logic that only applies to the tree iteration.
On Wed, Jul 27, 2016 at 02:43:09AM +0200, Florian Westphal wrote:
> This series adds support for setting ipv6 flowlabel and e.g.
> ecn/dscp header fields for ipv4 and ipv6 by adding the needed
> bitwise ops (and removing them during netlink decoding).
I'm hitting whitespace errors here:
On Wed, Jul 27, 2016 at 02:43:13AM +0200, Florian Westphal wrote:
> This allows nft to display payload set operations if the
> header isn't byte aligned or has non-byte divisible sizes.
>
> Signed-off-by: Florian Westphal
> ---
> src/netlink_delinearize.c | 165
>
On Wed, Jul 27, 2016 at 02:43:12AM +0200, Florian Westphal wrote:
> 'ip6 ecn set 1' will generate a zero-sized write operation.
> Just like when matching on bit-sized header fields we need to
> round up to a byte-sized quantity and add a mask to retain those
> bits outside of the header bits that
14 matches
Mail list logo